Recently, our HoneyPot has collected a series of spam emails impersonating FBI (which appears to be sent from the address: with threatening content, asking the recipient to open the attached file to answer certain questions.

Figure 1: Email content

When users open the attached file, which in fact is a Trojan. This Trojan will connect to the address http://vari[removed] to download and execute another malware that is detected as W32.FakeFBIVariantovLT.Trojan by Bkav.

FakeFBIVariantovLT constantly displays notifications of hard drive failure:

Figure 2: Warning of hard disk drive errors

According to this warnings, the system seems to be in bad condition, and the data loss risk is visible. However, “the savior” immediately appears after that:

Figure 3: Interface of the “savior” WindowsRecovery

WindowsRecovery is said to help you fix these problems; accordingly, all your important data will be recovered. But you have to pay an amount to buy the license of this software.

Figure 4: Fake domain: accessed via a fake-Internet Explorer software

If you follow the fake software’s instructions, you have fallen victim to the bad guy’s scheme which is akin to the scenario of FakeAV, the fake antivirus software rampant recently. The difference is that this time the malware impersonates the recover software and issues warning of hard drive failure instead of software errors like usual, showing the changing scenario in bad guy’s scheme.

To ensure the comprehensive protection, users are recommended to use licensed antivirus software with regular updates.

Nguyen  Van Long

Malware researcher

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet