Beware of fake Symantec AV notifications

Malware peddlers occasionally take advantage of the good reputation of big security companies to spread their malicious wares, and in a recently spotted malicious email campaign, they are misusing the names of a number of them.

The email purports to be a notification from Symantec Security Check warning the recipients that their email account may be blocked because it has been sending out “infected” emails (click on the screenshot to enlarge it):

The email also sports the “Scanning sytem…” phrase and tries to convince the recipients that the scan has found a worm on their machines. To get rid of it, they are offered a “free removal tool”.

Unfortunately, following the link will take them to a page serving a file named RemovalTool.exe, which is actually a downloader Trojan that, after being run, will phone back to its C&C server and download other malicious executables onto the machine.

Even though the spam campaign has currently a pretty limited scope, users are advised to be careful when checking out messages that seem to come from AV companies, as this campaign uses spoofed emails seemingly belonging to Sophos, F-Secure, Symantec, Verisign, and others, and the malware served is detected by only 14 percent of the AV solution used by VirusTotal.

Don't miss