Search for “Winter Olympics” and Take Your Pick—FAKEAV or Bogus Windows Media Player Updates

Cybercriminals again exploited one of the most-awaited global sports events—the “2010 Vancouver Winter Olympics”—to propagate at least two of their malicious wares. They piggybacked on the Olympics fever to promote malware-ridden sites.
In an attempt to affect as many users as possible, cybercriminals poisoned Google search results regarding the upcoming event. As usual, clicking the malicious links to get the latest news lead to sites that either host a bogus Windows Media Player update (see Figure 1) or FAKEAV.

Trend Micro threat analyst, Norman Ingal, found that sites that led to a bogus Windows Media Player update, which urged users to download player_update.exe-1, actually asked them to download a malicious .EXE file detected by Trend Micro as BKDR_INJECT.ANI (see Figure 2).

BKDR_INJECT.ANI drops an encrypted system file (config\qkqitqie.sav) onto affected systems then connects to the site http://{BLOCKED}ock.info/install/setup.php? to possibly download more malware.
The sites that lead to at least three FAKEAV variants (see Figure 3), on the other hand, download TROJ_FAKEVIME.AB, a FAKEAV component that connects to any of these two sites to download TROJ_FAKEAL.SMDP (aka Security Antivirus):

http://{BLOCKED}system.in/index.php?controller=microinstaller&abbr=SAV&setupType=xp&ttl=21105299546&pid=
http://{BLOCKED}dsystem.in/index.php?controller=mic oinstaller&abbr=SAV&setupType=xp&ttl=21105189b9a&pid=

TROJ_FAKEAL.SMDP, like previously featured FAKEAV variants, also uses scareware tactics to convince users of (continue reading...)