New Scareware Circulation E-mails Link to Malicious Files Harbored at Rapid Share

Recently, security researchers at the Belgian security firm MX Lab have warned netizens regarding a new series of malicious e-mails that directs netizens into installing scareware harbored at RapidShare.

According to the security vendor, the e-mails are being sent from arbitrarily fake addresses and their content is precise. The text of the e-mail only includes a link i.e. http://rapidshare.com/files/[censored]/surprise.exe.

Size of the malware file is 384 kB and its name is surprise.exe. The file presently has a quite less rate of AV detection on Virus Total with 16 amongst 43 anti-virus engines hampering it. Few of the products identify it as bogus anti-virus software, also called as rogueware or scareware, whereas others identify it as a Trojan downloader. This Trojan is named as Win32: Trojan-gen (Avast), Gen:Variant. FakeAlert.47 (F-Secure), Mal/FakeAV-EE (Sophos).

According to the reports, the scareware account would be quite relevant to the MX Lab's study, which states that the malware installs a 217103390.exe file (name can vary) in the 'Application Data' folder and installs a shortcut of "Security Shield.lnk" in the 'Programs' folder.

Further, another window will be displayed on the desktop of the machine, which notifies that security program has been successfully installed onto the system. Besides, a startup registry is
made under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce,to check that the program again starts after completion of rebooting process.

RunOnce keys only help in one time executing of the programs and afterwards they delete themselves. Thus, it's possible that the application can reform this key every time after the running process.

According to the security experts, scareware circulation is a very lucrative business for cybercrooks, which utilize the earned money to finance other illegitimate activities. A quick Google search for this risk discloses reports of same short e-mails, which just circulate hyperlinks to a file named surprise.exe harbored at RapidShare, dating back to 2007.

In those incidences, netizens stated that the fake e-mails were sent via their personal e-mail accounts to all the contacts of their account. It is thus probable that hacked e-mail boxes might be utilized as bait in these attacks.

Moreover, netizens are suggested to be extra vigilant, while dealing with e-mails that include hyperlinks, even if they seem to have come from reliable sources. Moreover, netizens should remain more alert when the enclosed links indicate to .exe files.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 12/24/2010