General: [Sticky] Virus Warning Updates

This week's PandaLabs report looks at two fake antiviruses: PcLiveGuard and GreatDefender.

This type of malware passes itself off as legitimate software applications in order to steal users' money by tricking them into believing that they will eliminate threats on their computers. Panda Security has published a report on fake antiviruses, available at:
http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf

Similarly, the PandaLabs Annual Report also provides information about the situation of this malware at:
http://www.pandasecurity.com/img/enc/Annual_Report_PandaLabs_2009.pdf

PcLiveGuard's icon resembles a legitimate antivirus icon. When run, a typical screen is displayed, asking users if they want to scan their PCs. See pic at: http://www.flickr.com/photos/panda_security/4255539533/

Regardless of whether users accept or not, it will indicate their computer is infected. Here is the image that will be displayed if users scan their PC (http://www.flickr.com/photos/panda_security/4256301498/).

If users do not scan their PC with the fake antivirus, infection warnings are displayed to scare them into purchasing the product.

GreatDefender is a fake antivirus which informs about potentially dangerous software on the computer, due to it not being correctly protected. It tries to get users to pay with their credit cards in order to install the solution.

The objective of the antivirus is to collect personal and bank details provided by users on purchasing it. As this type of malware cannot reproduce itself, it requires user interaction to infect the PC. To do so, it uses its own websites on which it is advertised as one of the best anti-spyware solutions in the market. Picture available at:
http://www.flickr.com/photos/panda_security/4256301526/

When users access the website, they are given the option to download the antivirus, but when they try, the trial version is unavailable and they are redirected to the pay version.

The installation process is similar to that of any antivirus, allowing users to select the language and location of the files. Once the installation ends, the fake antivirus carries out a full system scan.
It then falsely ensures users that their computers are free from any infections.

To make users believe they are protected, an icon is displayed in the Windows desktop, the quick taskbar and the Windows start menu, to make it look as authentic as possible.

More information about these and other malicious codes is available in the Panda Security Encyclopedia http://www.pandasecurity.com/homeusers/security-info/.

This week's PandaLabs report looks at a worm, a Trojan and a new fake antivirus.

TwittWorm.A is a worm that uses Twitter and Messenger in order to spread, sending a malicious message to all contacts of the infected user. These messages appeal to the curiosity of users, with subjects such as "I just got a piercing and you'll never guess where! Take a look at the photo. " or "You're going to be mad at me for sending you this photo, but you NEED to see it :3". The worm edits the registry so the system cannot be restored or started in safe mode. It also makes a series of changes to the host file to prevent users from accessing certain Web pages, particularly those related with antivirus companies.
Another feature is that it prevents the running of certain programs for viewing active processes or monitoring network traffic. Twittworm.A also spreads through USB devices, creating an autorun.inf to automatically infect computers on connection. To protect these types of devices, Panda Security has launched Panda USB Vaccine, which can be downloaded free
from: http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

Sinowal.WTF is a keylogger Trojan, designed to capture keystrokes with an aim to stealing passwords and other information from infected systems. This Trojan reaches computers through an email claiming to have been sent from MySpace (see image in Flickr:
http://www.flickr.com/photos/panda_security/4293518692/). The message warns victims about a change to the user's password and contains a .zip file attachment which supposedly contains the new password. The attached file, once extracted, has an Excel icon, but is really malware. When run, the system is infected and the icon disappears.

Finally, GhostAntivirus is a new strain of fake antivirus. As with other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist (see image in Flickr:
http://www.flickr.com/photos/panda_security/4292776611/). If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction (see image in Flickr:
http://www.flickr.com/photos/panda_security/4293518638/). This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users' credit card details.

More information about these and other malicious codes is available in the Panda Security Encyclopedia http://www.pandasecurity.com/homeusers/security-info/.