Recently, bad guys have spread massive malware variants which have identical icons and version details as popular softwares’ update programs to bypass antivirus softwares as well as system analysts. Once having infected victims’ computers, malware will overwrite such update programs. Because the information about software’s icon or version is faked, ordinary users, sometimes even virus researchers themselves, are easily “fooled” and skip such malware without raising an eyebrow.
Figure 1: Malware’s key run and processes when read by Autorun and ProcessXP. Malware is hard to be detected.
From analysis, we found that malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.
In this case, Acrobat Reader version 9 is imitated. The malware overwrites AdobeUpdater.exe file in the folder Adobe/Reader 9.0/Reader. From our analysis, this is a new technique that malware overwrites the update file of some popular software.
Figure 2: Fake AdobeUpdater
Figure 3: Fake Java’s update
In such cases, the best advice for users is to update their antivirus softwares on a regular basis to get the best support and protection from specialists.
This malware is detected as W32.Fakeupver.trojan by Bkav. Bkav customers are protected against the malware by the latest version of our antivirus software.
Analyst: Nguyen Cong Cuong