You're using your computer and suddenly a warning pops up that you've got a virus. Your own antivirus can't find it, but the warning is persistent. An icon in the system tray is suggesting that you get better antivirus protection - by name. The problem is that this virus software is a total scam.
A friend, who shall remain nameless, had been getting a repetitious email that appeared innocuous. There was an unsubscribe link at the bottom of the page. One would think that clicking this link would take one to an unsubscribe page, but that’s not what immediately happened. So my associate clicked the link about three more times . . . and still nothing happened.
A little later a dialog labeled “Antivirus2009” popped up and said the PC had a Trojan virus. This became a frenzy of urgent messages cascading across the screen, and all of this was accompanied by a notice in the system tray area. Internet Explorer opened up with websites where corrective anti-virus software could be downloaded. The names of the websites in browser history were:
scan.antispyware-free-scanner.com
secure2.softpaydirect.com
securityadvizr.com
royalproscan.com
wi-a-v.com
The main dialog had to be closed in Task Manager. However, the notices continued to pop up from time to time and offer to scan the PC to fix the problem.
When this was selected, the scan completed very quickly, and the application said it could not fix the problem. It said to click “Yes” to get more powerful antivirus free antivirus scanning software. Upon looking at the website, pictured below, my friend discovered that while the scan was free, the software to repair the infection was not.
Looking at the purchase link, my friend discovered that the website had neither a lock symbol in the browser frame nor was “https” in the URL.
How the Problem was Fixed
The solution was to stop the program in Task Manager, delete it in Add/Remove Programs, and run a complete computer scan using AVG. AVG reported thirty-five infections, six malware/adware infestations, and over six-hundred warnings that it either removed or healed.
A repeat scan proved the system clean.
How Such Malware is Obtained
PandaLabs, in their bulletin “Profitability of rogue anti-malware,” calls such programs “rogue anti-malware.”
Clicking a link in an email is one way that fake antivirus programs get the user to install them.
Another common “vector” is called “Drive-by download.” In this type, the computer becomes infected by the user visiting the website. The download may be automatic, using flaws in the web browser, or may involve a tempting-looking link to click on. Such sites are often adult in nature.
Yet another vector is web pages that offer downloads of pirated software, but send malware applications instead.
Common Traits
Although there are several variations in the scheme, anti-malware applications tend to have some common traits. PandaLabs mentions
They look and pretend to work like real antivirus applications.
They complete the scanning of the system very quickly.
They report infections that other anti-virus programs can’t find (because the infections do not really exist).
They use popup dialogs and messages in the system tray area of the toolbar to warn about an infection.
They may alter the screen-saver to make it look alarming, modify the desktop theme, and hide the Screen Properties settings so the user cannot change the theme or screen-saver.
The downloaded application appears to be a real, authentic anti-virus program, but it really installs a host of malware.
Next: The Hook, How to Avoid Fake Antivirus Programs, Links, and Further Reading
