Fake Antivirus "SecurityTool" spreads via Social Security Spam

The fake antivirus authors and distributors are creative in spreading their malware. For example, last week we found some fake antivirus spreading via a fake Firefox/Flash Player update site.

This week they are moving to the next social engineering scheme, spreading the malware via old style spam emails with the subject: “Review your annual Social Security statement”.

The email carries an attachment with the name “statement.zip” which contains the malware “statement.exe” and gets detected proactively by Avira with a heuristic detection as TR/Crypt.XPACK.Gen.

Upon execution of the email attachment, the file downloads two other binary files. One is the “SecurityTool” fake antivirus scanner and the other file is a backdoor. Avira is detecting the fake antivirus as TR/FakeAV.HA and the backdoor component as BDS/Reberi.A.

The Trojan TR/FakeAV.HA displays typical fake antivirus messages after the file has been downloaded and executed.

Thomas Wegele
Virus Researcher