Beware Fake Malware Cleaner Programs

July 27, 2008 – 10:41 AM

Chinese hackers are sending out malware masquerading as the Trend Micro Virus Clean Tool, according to Trend. The example in the linked Trend blog is in Chinese, so perhaps the threat is only real in China (and Taiwan). But the example is instructive.

The threat arrives as an e-mail which looks like it came from Trend Micro and the malware comes as an attachment to it. The use of an attachment is by itself unusual, as malware distribution has largely moved to using links to hijacked web sites where the malware is hosted. The Trend blog says the attachment is named iClean20.EXE, but the screen shot of the e-mail shows it as a .RAR file which probably itself contains iClean20.EXE.

iClean20.EXE uses a clever trick: It drops 2 files, one of which is the genuine Trend Virus Clean Tool, and the other the malware, detected by Trend as BKDR_POISON.GO. By pointing the user to the actually cleaning tool they may distract them from the malware. BKDR_POISON.GO opens a random port and allows a remote user to execute commands on the affected system.


You must be logged in to post a comment.