CRYP_FAKEAV-29

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

• FAKEAV
• FAKEAL

FAKEAV variants arrive on systems via compromised websites, spammed malicious links; poisoned search results that lead to FAKEAV download pages, malicious posts on social networking sites, and malicious advertisements. They may also be downloaded by other malware.

Since 2008, FAKEAV rode on the popularity of disastrous events such as the 9/11 attacks or the Great East Japan Earthquake. FAKEAV also takes advantage of celebrity names like Paris Hilton in order to victimize users. Cybercriminals behind FAKEAV scare its victims by showing fake system infections until the victims download or decide to purchase the fake antivirus product.

Other routines of FAKEAV malware include connecting to adult sites and blocking rootkit detection tools such as GMER and Rootkitbuster to prevent easy removal from affected systems. Later variants of FAKEAV target Macs and spread via social networking sites such as Twitter and Facebook.

There are various operators behind pushing FAKEAV malware. Apart from the creators of the fake anti-malware file, there are traffic redirectors, site compromisers, bot herders, exploit kit creators, and other cybercriminal underground entities that push, and benefit, from the operation of FAKEAV.

This Trojan employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.