A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom.

The malware is similar to Trojan:Win32/Ransom, which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number.

This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9) is not as aggressive, but nonetheless racketeers by ripping some freely distributable application from the Internet and then using that to gain profit.

The malware arrives supposedly as an installer for a program. But when users actually try to install the program, they are prompted to send an SMS to a premium number, from which a reply is sent back with a code to unlock and install the application. While the application doesn’t lock up your desktop, unsuspecting users may still get charged to send the SMS to a premium account.

Fake installer for uTorrent

Fake installer for DivX

Contrary to Trojan:Win32/Ransom, which is mostly targeted towards Russian users, Trojan:MSIL/Fakeinstaller.A seems to have been purposely made for users residing in other countries in Europe.

Fake installer in different languages

 

The IP address at which we found the malware sample can be reached from a number of domain names, which are discussed in the Trojan:MSIL/Fakeinstaller.A description.

Trojan:MSIL/Fakeinstaller.A uses a number of well-known application as the lure (for example, Avast! Antivirus, DivX, eMule, and LimeWire), which suggests that it may be distributed to popular file-sharing networking sites where it can reach a number of unsuspecting and unaware users.

So, as always, we recommend that you make sure that the origin of your installer or add-on is reputable and legitimate to avoid becoming victims of these kinds of malware.

Jireh Sanico
MMPC Dublin