A pretty well organized group of fraudsters have been sending out messages and setting up websites to fool users into downloading and running TubeViewer.ver.6.exe. The file, in turn, is not a video codec, it is a familiar installer that drops a.exe, b.exe, ~tmpc.exe and several other dlls installed as a Bho, sometimes named msxml71.dll. The .exe components are Fakealert components, and popup phony scare tactics from the system tray, like the title of this post. We’ve blogged previously about AV2009, AV360, and others.
What’s new is the addition of various ad popups, and not simply FakeAV scams, like the popup shown here:
Multiple windows continue to perform phony AV scans and present phony AV results.
One of the active sites includes stabilityskim.com, which serves up “Security System”.
The site will offer up install.exe, which installs executables with randomly numberic names to the “All users” %appdata% directory. Avoid running these files or visiting these sites.