Friday 24 September 2010

The Malware, the SMS, and the Money

A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom.
The malware is similar to Trojan:Win32/Ransom, which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number.
This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9) is not as aggressive, but nonetheless racketeers by ripping some freely distributable application from the Internet and then using that to gain profit.
The malware arrives supposedly as an installer for a program. But when users actually try to install the program, they are prompted to send an SMS to a premium number, from which a reply is sent back with a code to unlock and install the application. While the application doesn’t lock up your desktop, unsuspecting users may still get charged to send the SMS to a premium account.
Fake installer for uTorrent
Fake installer for DivX
Contrary to Trojan:Win32/Ransom, which is mostly targeted towards Russian users, Trojan:MSIL/Fakeinstaller.A seems to have been purposely made for users residing in other countries in Europe.

No comments:

Post a Comment