Russian antivirus vendor Dr.Web discovered this new trojan in October. The company’s malware analysts say the trojan is spread in the form of an archived PDF, Microsoft Office, or OpenOffice file.
The infection starts when users open the file. The trojan springs into action by copying itself to “/.gconf/apps/gnome-common/gnome-common” and then opens a decoy document, hence his name of “FakeFile.”
The trojan also adds a shortcut to itself in the user’s .profile and .bash_profile files, which allows it to gain boot persistence between PC reboots.
According to clues found in the trojan’s source, the trojan can perform a series of actions, such as rename or delete files, send a file or a folder’s entire content to the C&C server, send a list of files found in a folder to the C&C server, or create new files and folders.
The most worrisome part is that FakeFile doesn’t need root access for all these operations, and can work just fine with the current user’s permissions.
Submitted by: Arnfried Walbrecht