Fake Antivirus abuses regular software names

This morning we stumbled over a file called “Wireshark.exe” which was detected as being malicious by Avira. This was a bit irritating as this is a regular file name which got detected. We use Wireshark on a daily base because it’s a very helpful packet analyzer so we took a deeper look at the file.

The file was packed with a runtime packer, nothing special though. But this was raising our suspicion as the real Wireshark is not packed. So, we unpacked the file:

We find plenty of suspicious strings like “Wireshark Antivirus” or “Adobe Loader” as a Run Key for the Windows Registry. The unpacked file also contains a batch which will be created and run to delete a file. This is very common for malware to delete the original executed file after the malware created a copy of itself in the Windows System.

To see what this file exactly is, we executed it. Right after execution of the file the following Windows appears:

So we are dealing with just another fake antivirus scanner. It has obviously nothing to do with the Wireshark packet analyzer:

Avira is protecting from this threat. The malicious FakeAV gets detected as TR/Dldr.FakeAV.AZ.

Thomas Wegele
Virus Researcher