This week's PandaLabs report discusses the SaveSoldier fake antivirus and the Ramson.G worm.
The first malware we're looking at this week is another example of malicious programs that pass themselves off as legitimate software applications in order to steal users' money by tricking them into believing that they will eliminate (non-existent) threats. For more information about this type of malicious program, read "The Business of Rogueware" a report on fake antiviruses written by Luis Corrons and Sean-Paul Corell, PandaLabs researchers. This report is available at:
This fake antivirus is designed to collect personal and bank details provided by users when they buy it. This malware scans the system searching for infected software (see image in:
http://www.flickr.com/photos/panda_security/3861789296/) and displays an interface which resembles the interface of a typical antivirus program (see image in: http://www.flickr.com/photos/panda_security/3861006503/).
It then asks users to buy and install certain software to resolve problems caused by the malicious software supposedly detected on the computer.
When the fake antivirus 'detects' infected files, it prompts the user to enter a code they will receive when they buy the antivirus pack (see image in: http://www.flickr.com/photos/panda_security/3861006531/). To do so, users are redirected to a page where they can purchase the software using a credit card (see image in:
http://www.flickr.com/photos/panda_security/3861006571/). It also displays several warnings informing about malware problems, registry errors, etc.
The second example of malware in this report is the Ramson.G worm, which appears on screen with the icon of an executable file and constantly launches the Windows taskkill utility to eliminate processes, passing a series of commands. When the computer is restarted, a message in Russian is displayed (see image in:
http://www.flickr.com/photos/panda_security/3861789428/) and a code to access the system is requested. Once the code is entered, it displays another message and restarts the system (see:
It spreads through mapped, shared and removable drives. It uses its autorun.inf configuration file for malware to self execute through these drives.
More information about these and other malicious codes is available in the Panda Security Encyclopedia http://www.pandasecurity.com/homeusers/security-info/about-malware/encyc
You can also follow Panda Security's online activity on its Twitter http://twitter.com/Panda_Security and PandaLabs blog (www.pandalabs.com)