NEWS FROM THE LAB - Thursday, December 11, 2008

Faking It Posted by Response @ 05:20 GMT

Got a copy of the "Homeview Installer" today which looked harmless enough…

During installation, it runs the user through a series of procedures that look pretty routine.

Agent.FLN fake installation screen

If I try to cancel the installation at the first screen, it is nice enough to ask me if I really want to continue…

Agent.FLN quit installation screen

And if I change my mind and install it anyway…

Agent.FLN fake installation screen

Agent.FLN fake installation screen  /><br /><br /><img width=

But when installation is "completed successfully", it turns out Homeview isn't really installed.

Agent.FLN no homeview

There's just an uninstaller file that, true enough, really does remove the Homeview folder from the Program Files, and the Homeview-related registry entries.

So it really just came and went without doing anything… Oh wait, it installed Trojan:W32/DNSChanger.ARNF and none of my clicks even mattered.

Crafty little thing.

Just a reminder — do be wary of executing any file you download or receive via e-mail, if you are unsure of its trustworthiness.

Response team post by — Christine