Description date

29 September 2015

Description of malware class


Programs that do not harm a computer directly, but display messages claiming that such harm has already occurred or will occur under certain circumstances, or warn the user of a non-existent threat.

Hoaxes include, for example, programs that scare the user by claiming that the user's hard drive has been reformatted (although no reformatting has taken place) or by displaying strange virus-like messages, depending on the "humor" of the hoax author.

Description of platform


Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description of malware family


Malware in this family is distributed as a password-protected archive. To extract files from the archive, the program asks the user to send an SMS message to a premium number. After the SMS message is sent, one of three things generally happens: nothing happens, the archive contents are something other than what was claimed, or the archive is expanded to reveal software that is distributed for free.

These hoax programs are fraudulent but are not harmful by themselves and do not perform any destructive actions on the user's computer.

Geographical distribution of attacks by the Hoax.Win32.ArchSMS family

Geographical distribution of attacks during the period from 27 September 2014 to 27 September 2015

Top 10 countries with most attacked users (% of total attacks)

Country % of attacked users*
1 Russia 63.17
2 China 12.37
3 Ukraine 5.22
4 Kazakhstan 3.99
5 USA 2.09
6 Germany 1.86
7 Belarus 1.73
8 France 0.91
9 India 0.60
10 Azerbaijan 0.51

* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware