OSX_FAKEAV.A
Kaspersky: ARC:Tar ARC:[./MacSecurity.app/Contents/MacOS/MacSecurity]:Fat ; Sophos: OSX/FakeAV-A
Mac OS
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malware is noteworthy due to the increased potential for damage that it possesses. Specifically, it targets MAC OS.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
It installs a fake antivirus/antispyware software. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
TECHNICAL DETAILS
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
This malware arrives via the following means:
- blackhat SEO
Rogue Antivirus Routine
This Trojan installs a fake antivirus/antispyware software.
It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
NOTES:
It displays the following graphical user interface (GUI):
SOLUTION
NOTES:
- Terminating Malware Process
Go to Applications>Utilities> Activity Monitor and terminate the process related to Mac Security using the "Quit Process" button. - Remove Autostart Entry
Go to System Preferences -> Accounts -> Login Items
Select the checkbox for "Mac Security"
Click button to delete selected items - Restart your computer.
- Scan your computer with your Trend Micro product to delete files detected as OSX_FAKEAV.A If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.