Fake Microsoft Antivirus on the Loose
Rogue software distributors are known to create fake user interfaces and exploit popular trends. The newest victim of bogus software is the free antivirus program from Microsoft. The fake Microsoft Security Essential alert is installed by a Trojan. The rogue program will immediately appear if you try to open any of the useful utilities in Windows, such as the registry editor, task manager or system configuration utility (MSCONFIG). It will also drop defender.exe in the startup program in Windows and replace it with antispy.exe file.
Unsuspecting users who click on the "clean computer" or "apply actions" button will be offered an online scan while the fake threat is in suspended mode. Upon clicking on "scan online", a new window is opened by the rogue program that will display another fake user interface, offering the free installation of 5 rogue antivirus programs such as Red Cross, Peak Protection, Pest Detector, Major Defense Kit and AntiSpySafeguard. If the user clicks on any of the "free to install" rogue antivirus programs, the computer will immediately restart.
The rogue program will modify the Winlogon registry key by adding "shell" registry values and the PC will not load the taskbar unless the user clicks on the rogue program's "safe startup" command, which is also a fake command. The new scanner will start to display non-existing threats and continue to display a fake balloon warning message.
Note that if you are using the genuine Microsoft Security Essentials, the free antivirus from Microsoft, you will notice that the alert is different from the fake MSE alert added by a Trojan. See the sample alert by MSE in this Microsoft Security Essentials Review.