Special thanks to Sian John for reporting the scam.
We recently saw some malicious fake antivirus software. Such software often goes by generic names like “Windows Defender” or similar, but this particular software claims to be a Symantec product. An email claims that not only is the recipient infected—all users on the same network are as well. The email uses out-of-date Symantec branding, and links to a malicious application called RemovalTool.exe. Symantec does not produce a tool like this, nor does it email users in this way.
If a user downloads and executes the tool, a dialog box posing as a Java update, appears:
One clue that this is a fake update is that it refers to Sun Microsystems, which developed Java, but was acquired by Oracle several years ago. In addition, the installer isn’t digitally signed. Compare this with a screenshot of the legitimate Java updater:
While the email may give the impression of being fake antivirus software, once installed the threat does not claim that the computer is infected. There are no visual indications that anything has been installed, though this might meet user expectations as the installer claims to be a simple removal tool, rather than a complete antivirus product. The malware downloads an information-stealing Trojan, which is detected as Infostealer.
This story was originally published in this month's Symantec Intelligence Report. For further stories and trends from the month of August, you can download the report here.