Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.
This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.
Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.
If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.
And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:
1. It modifies the system so that it runs when Windows starts
2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.
3. You can expand it out for “additional details”
4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection
5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’
6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan
7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).
8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing
If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.
For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.
And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.
Common Operating System Problems Reboot
Your program could keep crashing because your machine is in a bad state. Restarting the computer will ensure that the next time you start your program your machine will be in a proper state.
Download Updates/Latest Version
You could be encountering a problem that the spyware manufacturer is aware of, and has released a fix for. Visit your software company's web site and browse until you reach the product update section. Download and follow the page's installation instructions in order to correctly patch your software. Even if the company does not have a fix for the problem, they may have a documented work-around in order to resolve the problem.
It's possible that some of your program's resource files (dll's, binary, xml, etc.) are corrupted/altered. The next step would be to try and reinstall the software that is causing the problems.
can anyone explain how to manually remove this thing, this would be quite nice.
Problem Microsoft Security Essentials
I ask to excuse for quality of a wire transfer.
Dear creators of Microsoft Security Essentials!
I in a notebook had problems with the keypad. Keys "t", "y", "[", BACKSPACE, TAB, SHIFT (under the right hand SHIFT works) don't work. At check by the program of Microsoft Security Essentials the keypad has earned normally. However at new switching-on of a notebook of a problem with the keypad have returned again. What to do?
We are hard at work tracking these animals down!
World class stars • Christiano Ronaldo today and Nike Mercurial VaporSuperFly televisions CR II football boots begin. By Ronaldo on the pitch of the lightning speed and ease of style inspiration, CR Mercurial Vapor SuperFly II will Nike Safari printing of high-performance innovation and classical tradition to be perfectly.
In 1987 Nike first introduced printing technology in the Air Safari running shoes, lively designs for high-performance sport shoes revolutionized the design. At that time, Nike's leading architects, AirJordan series sport shoes of parent Ting g • hafir de started exploring alternative for sports shoes, fabrics, motifs and color, and brewed the famous ostrich skin design today.
Limited Edition Air Safari was snapped up quickly, the stunning design win the consumers on the topic of sport shoes. Today, classic printing time come back, this time, it will appear in the world's most outstanding player of the journey. The printed matter Improved the appearance of the shoes, coverage all over the shoe, showing a strong visual effect.
November 7th, All Stars meets at madelidebi wars, C wearing the CR Mercurial Vapor SuperFly II debut for the first time. This Ball boots will be held on 5 November in domestic retail sales.
My fiancé can catch any malware or virus like a cold! I installed Microsoft Security Essentials months ago and recently applied the updated version including daily updates and full scans (manually also), but it did not detect a thing! She was on Facebook for bit before we left for a couple hours. Upon returning home we restarted her laptop and that's when it booted to "Think Point"!
File location was user\appdata folder showing a .pdf file 4:43pm upon using a different scanner (Microsoft Security Essentials & Defender are dead).
No hard feelings! Microsoft has taught me the importantance of daily backups or before updates...
A few people asked about sources of drive-by downloads so here is my .02$.
While drive-by code can exist in any executable links (email, etc.) - we most often see malicious drive-by code on legitimate websites that people have compromised for their exploit code. Typical locations are things like comment boxes.
The reason for this is today’s drive-by coders like to take advantage of inline frames. Essentially it’s a separate HTML page inside of an existing page. Often the case when you go to a legitimate website that also publishes 3rd party content that might not have the same security standards as the legitimate website.
One of the most common ways of getting this kind of infection is also from going to unknown sites in search engine results. Bing actually scans and flags content it indexes to disable malicious drive-by links.
Typically people writing malicious code also target old browsers – so it’s critical to use a current browser. IE8 was one of the first to build mitigations for clickjacking and inline frame exploits. Make sure and update your browser.
Lastly there was a comment about getting infected even with up to date security software and malware definitions. As with any malware definition, variants of the malware will likely emerge so those definitions are continuously being updated to reduce the attack surface area. The key is to continue to use safe browsing habits and build up your malware defense. www.microsoft.com/.../pypc.aspx or visit this site for additional information: www.microsoft.com/.../default.aspx
Hope this helps.
Have to say that I was a victim of this - it royally screws up the system, not allowing any program to launch. There are a couple of useful instructions for removing this manually as NJZX noted is needed to do. And sorry Eric, I had an up-to-date version of MSE running and it didn't catch it. After clearing it out manually, MSE did catch a couple of remnants and no problem since.
Live Messenger can certainly be used to spread it if you're not careful with clicking on links and downloading files - just like other trojans and malware. It's just another way into your system. I don't know if it is the primary means of spreading at the moment - others will need to answer that (if it is known).
mine has been infected by this couple of times, have to remove it manually.. so far, seems it is spread via Live Messenger, can you confirm this?
Yes - we've published virus definitions so the most important thing you can do is make sure MSE is up to date and it will be able to detect and remove the threat. ~Eric
Thanks for the heads up on this one. Can I assume that the real MSE is updated to counter this threat before it can take hold on a system? Besides being technically observant, what else can we do to preemptively detect and protect against it?