Fake AV masquerading as Firefox/Flash update

The well known “fake scanning page” that pops up a warning about your computer being infected has been switched with a fake Firefox “Just Updated” page that is usually displayed after you run Firefox the first time after an update:

The attackers are relying on your familiarity with that page and you feeling that you can trust whatever update is pushed through it to make you unknowingly download the malware disguised as an Adobe Flash Player update.

F-Secure reports that you don’t even have to click on the link, because a download dialog box pops up automatically after the page is loaded, and asks you to save the malicious ff-update.exe file on your computer.

If you fall for it, and run it after it’s downloaded, you will be faced with this charming “Security Tool” that suggests that “mspaint.exe is infected with Virus.DOS.Glew.4245. This worm is trying to send your credit card details using mspaint.exe to connect to remote host”:

Luckily for us, the page is question is already blocked, but that doesn’t mean that others won’t be popping up and offering different fake AV variants, so be careful.