Select Page

You get to choose your poison.

A Trojan that pretends to be a Microsoft security function is popping up something new.

Basically, it mimics the idea of VirusTotal, ( ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The Trojan copies files into multiple folders under different names. After five to 15 minutes they generate a fake alert pop-up window:

(click graphic to enlarge)

After you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which oddly enough find no infection on your machine.

However, the display shows that four of them (which are NOT legitimate security products) have identified malicious files. Just by coincidence, those are also the ones that have a “free install” button listed next to their names.

Four of those buttons lead to rogue downloads:
— Red Cross Antivirus
— Peak Protection 2010
— Major Defense Kit
— Pest Detector4.1 (lower on page, not shown in screen shot.)

And, of course, you know the drill. Although the installs are “free” they pop up scary warnings that your machine is infected, but don’t remove the threats until you pay.

(click graphic to enlarge)

Red Cross Antivirus is the third rogue in the FakeRean family (third generation.)

(click graphic to enlarge)

Peak Protection 2010 is the second rogue of the FakeRean family’s third generation:

Major Defense Kit

(click graphic to enlarge)

Pest Detector4.1 is the first rogue of the FakeRean family’s third generation:

(click graphic to enlarge)

The rogues install themselves as antispy.exe and tmp.exe in %local_settings%Temp and run. VIPRE detects them as Trojan.Win32.Generic.pak!cobra.

The install reboots your computer, kills Windows Explorer (which is what displays your desktop) and leaves you with no icons on your desktop. Using Task Manager, however, it is possible to launch Windows Explorer restore the icons to the desktop.

VIPRE identifies the initial fake alert as Trojan.Win32.FakeAlert.FakeAV-EI

Here is what the real Virus Total page looks like:

(click graphic to enlarge)

Thanks Patrick.

Tom Kelchner