The trojan in question is DarkAngle, and it does all the nasty things we have come to expect. “This Trojan is designed to steal every piece of information you can have in your computer,” PandaLabs technical director Luis Corrons told Infosecurity. “It can even use the computer's webcam and microphone to record video and audio and send it to the cybercriminals. Not only that, it can download and install new pieces of malware.” Nothing unusual about this,” he blogged elsewhere, “just one more to add to the more than 73,000 new viruses that appear every day.”
But it does do a bit more. It has its own evasion techniques, can kill processes and reloads itself on re-boot, making it particularly persistent. It also adds over 20Mb of junk data to itself to help avoid cloud scanning (since malware is rarely so large, some AVs don’t scan such large files).
This isn’t the first time Panda Cloud AV has been used as a lure. At the end of last year more traditional rogueware disguised itself as Panda Cloud and performed an automatic scan. Needless to say it found a range of false malware, but demanded it be purchased before the malware could be removed. “If you don’t [buy] it,” explained Corrons at the time, “you’ll get a message every now and then telling you are still infected. And what is worse, every time you try to run any program in your computer it will tell you that it is infected, so your computer will be useless.”
This one, however, looks like it “has been created by Chinese cybercriminals,” Corrons told Infosecurity. “As it is a Trojan it does not spread by itself, however cybercriminals will use different means to do so. Given the name of the file and the icon used, it looks like they are trying to offer it as a free download, via download portals and spam messages.”
If you’ve already got Panda Cloud you’re safe – Panda Cloud AV detects and removes DarkAngle. If you haven’t, Corrons offers the following advice: “If any user is offered any product from an untrusted source, it is better to visit the web site of the developer and get it from there.” Good advice for any software.