Home / malware Adware.FakeAntiVirus.L
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Adware.FakeAntiVirus.L.
Explanation :
The detected website hosting malware can be found on the Internet on different domains, but the mechanism is always the same : display false adverts in order to trick the user into downloading and installing another malware which is a rogue antivirus ( usually XP Antivirus clones ) or one of its downloaders. We call this kind of threat Trojan.FakeAlert .
If we look into the source code we can see that the scan consists in enumerating an array found in fileslist.js. From the same file it takes the names of detections, that are usually taken from reliable antivirus sources. But even before the so-called scan we can see a picture of "results" (screenshot below).
This "fakealert" campaign that exists on the Internet for some time now uses a predefined template for the background files :
http://[scanner_site]/[year]/[version_of_malware]/_freescan.php?id=[number]. If we change the [version_of_malware] we get another display which ultimately uses the same scheme.
It is sometimes amusing that malware creators come up with new names for [scanner_site] daily. If you have the word "scan" or "xp" or "av" or "2008/9" or variations of known trusted websites in the host name it could be owned by the malware distributors. Here is an example : hxxp://googlescanners-360.com/2009/4/_freescan.php?id=77025301 and a big list could start here.
If the user wants to close the pop-ups or message boxes it receives this message : "Dont close this window if you want your PC to be clean." or urges him to finish the alleged scan "ATTENTION! You have not completed the virus scan! Your PC is still infected with spyware! Please return to [substituted]-2009.com and download Antivirus 2009 scanner."
Ultimately, this is just an annoying and simple infection method which is sustained by the builders because it is effective.Last update 21 November 2011
