A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom.

The malware is similar to Trojan:Win32/Ransom, which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number.

This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9) is not as aggressive, but nonetheless racketeers by ripping some freely distributable application from the Internet and then using that to gain profit.

The malware arrives supposedly as an installer for a program. But when users actually try to install the program, they are prompted to send an SMS to a premium number, from which a reply is sent back with a code to unlock and install the application. While the application doesn’t lock up your desktop, unsuspecting users may still get charged to send the SMS to a premium account.

Contrary to Trojan:Win32/Ransom, which is mostly targeted towards Russian users, Trojan:MSIL/Fakeinstaller.A seems to have been purposely made for users residing in other countries in Europe.

The IP address at which we found the malware sample can be reached from a number of domain names, which are discussed in the Trojan:MSIL/Fakeinstaller.A description.

Trojan:MSIL/Fakeinstaller.A uses a number of well-known application as the lure (for example, Avast! Antivirus, DivX, eMule, and LimeWire), which suggests that it may be distributed to popular file-sharing networking sites where it can reach a number of unsuspecting and unaware users.

So, as always, we recommend that you make sure that the origin of your installer or add-on is reputable and legitimate to avoid becoming victims of these kinds of malware.

Jireh Sanico
MMPC Dublin