Archive for the ‘FakeAlert’ Category

« Older Entries

FakeAv Antivirus XP 2010

Thursday, March 11th, 2010

Same as we posted last week, Trojan.FakeAv continues to be one of the highest hitting families of malware prevented in the ThreatFire community again this week. And, because so many users continue using Windows XP, it is this variant of the family that continues to pop up the most. Frequently, the malware resides simply as “av.exe” on users’ systems:

AVXP2010

The bogus software follows the trends that we presented at Virus Bulletin 2008 two years ago, where we noted the rising FakeAv families and technical details of “Recent Rogueware”, similarities with previous other malware families, and their delivery.

AVXP2010_Alert

Posted in FakeAlert, Rogueware | No Comments »

Windows Defender 2010 FakeAv at the Top of this Morning’s List

Tuesday, February 16th, 2010

The group behind “live-windowsantivirus. com” is having a very busy morning distributing Rogueware XP Internet Security 2010. We grabbed some snapshots for you of the current incarnation of the malware, since users appear to be falling for it in large numbers. The full window and the balloon popup stating “System Danger! Your system security is in danger” must be convincing…

2.System_Danger

Fake scan results are presented immediately…

1.XP_InternetSec

As we have been presenting for the past several years, the user is tipped off that something is amiss when their software claims it is “unregistred”, see the window’s title bar.

3.Attention_Danger

Following the “Attention: DANGER!” message, the Windows user may attempt to open Internet Explorer. The FakeAv has modified the browser and instead pops up a window, claiming the system is infected with Trojan-BNK.Win32.Keylogger.gen, recommending activation of XP Internet Security 2010…

4.Firewall_Alert

When the user attempts to activate the phony product, a purchase window for “Windows Defender 2010″ appears…

5.WindowsDefender2010

Running down the side of the page, they make fraudulent claims to have won awards from West Coast Labs and Virus Bulletin:

6.PhonyAwards

Entering personal information into the form POSTS the information to “live-windowsantivirus. com” (the domain is registered in Turkey, while the site is hosted in the US at 206.217.211 .243). We recommend you avoid entering any personal information and clean up the infection instead:

7.2YearLicense

ThreatFire prevents it from running on users’ systems as “Trojan.FakeAv”.

Posted in Dropper, FakeAlert, Rogueware, Social Engineering, Trojan, Uncategorized, Undetected malware | 10 Comments »

Internet Security 2010 — YOUR SYSTEM IS INFECTED

Wednesday, February 3rd, 2010

Rogueware Internet Security 2010 (not to be confused with PC Tools Internet Security 2010) is moving its way to the top of ThreatFire’s community stats to be one of the highest hitting FakeAv/scareware/rogueware packages for January 2010 and the beginning of Feb. Not only is its prevalence glaring, but the infection itself visually and functionally stands out:

InternetSecurity2010 Desktop

Victims of this scam will have a hard time ignoring the screaming new message on their desktop, “YOUR SYSTEM IS INFECTED”. The familiar red X appears in the system tray in the lower right corner of the screen, and multiple phony scan images subsequently pop up.

InternetSecurity2010_2_install

Next up is a phony but thorough listing of all the detected malware that doesn’t really exist on the user’s system, described with a “Critical vulnerabilities found!” header and a mishmash of security industry buzzwords thrown together in a non-sensical phrase “Proactive system found several active vulnerabilities on your computer”…

InternetSecurity2010_3_Critical_Vulnerabilities

And, after shocking the user with this series of blatently false warnings, coming up is the money maker, a suggestion that the user get a license or pay for Internet Security 2010:

InternetSecurity2010_4_GetLicense

If the user ignores the above warnings and tries to continue their work, they instead are assailed with scare-tactic messaging from the bottom right corner of the screen…”Click here to protect your computer from spyware!”…

InternetSecurity2010_5_ClickHeretoProtect

And “System Warning! Continue working in unprotected mode is very dangerous”, another phony taunt…

InternetSecurity2010_5_Systemwarning

Good thing that ThreatFire can keep this stuff off of your system in the first place, and Spyware Doctor+AV is known to effectively clean up previously infected systems.

Posted in FakeAlert, Rogueware, Social Engineering | 1 Comment »

« Older Entries