Fauxpersky, malware that collects all typed information as passwords, credit card numbers, etc
It has many important characteristics, camouflage itself as a version of the Kaspersky Internet Security 2017 and sends your information through Google Forms, a Ele possui várias características importantes, se camufla como uma versão legítima do antivírus Kaspersky Internet Security 2017 e manda suas informações através do Google Forms, a legitimate and encrypted connection, that makes the communication not seem suspect and undetectable to traffic monitoring mechanisms. It acts the following way:
– originated by external media such as HDs and Pendrives (thumbdrives)
– it has 4 programs with names very similar to legitimate Windows programs: explorers.exe, svhost.exe, taskhost.exe and spoolsvc.exe.
– the explorers.exe takes care of its persistence and propagation. It searches for removable drives, rename them to its pattern, ex: “Pendrive 8GB (Secured by Kaspersky Internet Security 2017)”, copies their files, one of them the autorun.inf (here you can check how to disable it and minimize the chances of getting infected by this) that runs the infection automatically, another two files are a splash screen of Kaspersky that shows up when the user logs in to deceive him by making him believe that the machine is being protected by the Kaspersky antivirus, and the Readme.txt file that instructs the user to disable any other antivirus (it also lists a series of security products that should be incompatible with the installed malware to be disabled, among them is the Kaspersky Internet Security 2017 itself) in the case the user is unable to access any file or folder.
– the svhost.exe is responsible to capture all typed information with no exception.
– taskhost.exe creates and copies the file structure inside the %APPDATA% system folder. It creates the “Kaspersky Internet Security 2017” folder and configure its attributes to read only, system folder and hidden folder.
– spoolsvc.exe is the malware intelligence, it initially modifies the Windows registry so the system does not show the hidden files and hide the system files (those that have the attribute of “system folder” set by the taskhost.exe). After that the malware checks if the explorers.exe is running, if not it starts it (its a watchdog that guarantee the execution). It also creates shortcuts to the Windows startup folder (everything inside this folder is automatically executed upon user login). The most important part of this program is the sending of the typed data that are initially written on a log file called Log.txt. After being sent this file is deleted from the disk.
It does not care much about hiding itself, but is very efficient on propagate and capture the user’s data.
– Delete the folder “Kaspersky Internet Security 2017” from %APPDATA%\Roaming.
– Delete all shortcuts created inside the Start Menu -> Startup folder.