Recently, our HoneyPot has collected a series of spam emails impersonating FBI (which appears to be sent from the address: firstname.lastname@example.org) with threatening content, asking the recipient to open the attached file to answer certain questions.
Figure 1: Email content
When users open the attached file, which in fact is a Trojan. This Trojan will connect to the address http://vari[removed]tov.com/pusk.exe to download and execute another malware that is detected as W32.FakeFBIVariantovLT.Trojan by Bkav.
FakeFBIVariantovLT constantly displays notifications of hard drive failure:
Figure 2: Warning of hard disk drive errors
According to this warnings, the system seems to be in bad condition, and the data loss risk is visible. However, “the savior” immediately appears after that:
Figure 3: Interface of the “savior” WindowsRecovery
WindowsRecovery is said to help you fix these problems; accordingly, all your important data will be recovered. But you have to pay an amount to buy the license of this software.
Figure 4: Fake domain: windows-recovery.com accessed via a fake-Internet Explorer software
If you follow the fake software’s instructions, you have fallen victim to the bad guy’s scheme which is akin to the scenario of FakeAV, the fake antivirus software rampant recently. The difference is that this time the malware impersonates the recover software and issues warning of hard drive failure instead of software errors like usual, showing the changing scenario in bad guy’s scheme.
To ensure the comprehensive protection, users are recommended to use licensed antivirus software with regular updates.
Nguyen Van Long