Recently we came across this rogue, Antivirus Plus. What makes this one different from others was that it was distributed directly as a fake video codec. They have now removed the fake alert step in between.
AntivirusTrigger is a new rogue anti-spyware application and a clone of VirusTrigger. It will give exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove the reported threats.
ExtraAntivir and WinWebSecurity are two new rogue anti-spyware applications (FraudTools). They will give exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove threats which doesn't exists. They are included in our latest definition update (0143.0001).
In our daily work we see many different attempts to trick a user to install dubious software. One of the more common variants is to use fake video codecs, in other words claim that the user needs to download and install their software in order to see some videos. This could look something like this.
As soon as the user enters the page they will be presented with the following warning:
Recently we came across this clone of XLG Security Center. XLG Privacy Control Center is being distributed as a fake video codec and through email spam.
Recently we stumbled upon a rogue application that used a very aggressive way to get users to register and pay for a license. It all started with one downloaded file disguised as a movie file, using .wmv.exe extension and using a windows media icon. Once the file was run it started by warning you that your PC may be infected.
During the past months it has been possible to download an executable file called c-setup.exe. It promotes itself in a similar way as the normal Win32.TrojanDownloader.Zlob, but has a different behavior. You can find it at adult sites where it recommends the user to install a Video ActiveX Object to be able to play the desired video clip. If the user chooses to download and run c-setup.exe it will be forwarded to google.com.
A clone of XpAntiVirus has recently been released, named as WinAntiVirus PRO. Those who have been around may remember WinAntiVirus PRO 2006 & 2007.
There are tons of rogue applications out there right now, most use unique names. It was just a matter of time before there started to be name collisions either on purpose or by mistake.
Finally a message to all fake anti-spyware/virus producers:
Do some research before you release new products; you might end up in court with your competitors because of name theft.
In the last days we have seen a new Rogue AntiVirus program being spread through a trojan. Opening up the program, Unigray AntiVirus, we were met by a somewhat familiar GUI.
You may have noticed our rogue application definition update last week. It was prompted by the deluge of complaints to our support team about C-NetMedia's AdWareAlert program from people who thought they were buying Lavasoft's AdAware 2007. The update also follows on from the excellent article by Ben Edelman (assisted by our very own Calamity Jane!) on the subject. You can read it here: http://www.benedelman.org/news/021408-1.html.
Spyware Isolator is one of this week's new rogue anti-spyware applications that we have seen here at Lavasoft Research. Its behaviour is typical of standard rogue applications.
- ‹‹
- 9 of 9