Bogus Symantec Security Check Emails Push Malicious Virus Removal Tool

Some cleverly designed emails, purporting to originate from Symantec, have been seen doing the rounds in the past few days. They attempt to trick recipients into downloading a malicious removal tool.

Experts from Websense have analyzed these emails and determined that they seem to come from various spoofed email addresses such as: scanner@symantec.com, scanonline@f-secure.com, symantec@verisign.com, scan@sophos.com, symantec@sophos.com, virscan@secureroot.com and noreply@verisign.com.

Although, currently, this is only a low-volume campaign, the official-looking addresses combined with the well-designed notification could easily ensure it a high success rate.

Inside the body of the email there’s a message that reads “Scanning system.” Once this fake scan is complete, a warning notifies the victim that a piece of malware called W32.Swizzor.C-WORM is present on the computer.

The download link that apparently leads to an application that can be utilized to remove the threat serves RemovalTool.exe.

A closer look at the app has revealed that it connects to a command and control server to download other malicious executable files.

We advise users to take a good look at the sample and avoid such emails as much as possible.