Fake Microsoft Security Essentials software on the loose. Don’t be fooled by it!

From: Windows Steam Blog 10-25-2010 by Eric Foster

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.



3. You can expand it out for “additional details”



4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection


5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’



6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan



7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).





8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing



If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here:http://www.microsoft.com/protect/support/default.mspx.


For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/po...in32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.


SOURCE

Appreciate the heads up.

funny thing is, i was surfing the malware domain list and came across this one a little while ago... it's interesting to say the least. It seems that there are a lot of fake antivirus programs going around. as of right now it accounts for ~9-12% of the incidents people bring to me.

Lol @ how people make these things. They are money-obsessed greedy people who care about nothing but how much is in their wallets, and it's been like this for many many years. I remember how between 1-2 years ago the amount of viruses online skyrocketed by like 40%.

Yes, they have. And the thing is, the AV/IS software writers are making a ton of cash from it. They don't want to see the eradication of viruses or malware, because if it were, the cash flow would stop. They simply prefer to contain or "quarantine" them, but not to clean the world of malware.

Almost every week, there's news of a new serious threat released. The only thing that we all can do is be as careful as possible as to where we travel on the net, and watch what we click onto.

And find the best AV/IS suite that we can afford (paid or free), and hope that it picks up the slack.

As far as MSE goes, if a user wants it, that one needs to download the real one themselves, or get it through Windows Update. I'm not going to click a pop-up link to install anything on my computers, that's too dangerous.

Cat