The malware is delivered via email, and among other things, it misuses the system tray icon of the aforementioned legitimate software. Users clicking on the icon are faced with pop-up messages claiming that "Your Avast! Antivirus is being updated, wait" or "Avast! antivirus: Attention, your system is protected."
The Trojan is written in Delphi, and is small in size - only 386Kb - but it still manages to do nasty things such as trying to remove legitimate AV software from the infected computer before installing itself. Among the targeted software are solutions by Microsoft, Kaspersky, Panda, McAfee, Symantec, Avast, and others.
Bestuzhev speculates that the malware creators decided to disguise it as Avast AV because it's the most popular one in Brazil, and because people in Latin America still don’t want to pay when there is something to be had for free.
He also warns that Brazilian banking Trojans often come with fake descriptions, trying to pose as modules of different AV products:
Add to this the fact that some Brazilian banking malware is signed with valid digital certificates, and it's easy to see why cyber theft is rampant in Latin America.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.