Windows 7 If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?

[kemical]

Wednesday, February 24, 2010 9:44 PM by Link Removed due to 404 Error
If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?


Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long.
This one calls itself “Security Essentials 2010” and looks something like this:
Link Removed due to 404 Error
For the record, this is how the real Microsoft Security Essentials appears when it has detected a threat (in this case, Win32/Fakeinit):
Link Removed due to 404 Error

As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running Link Removed due to 404 Error (from here: Link Removed due to 404 Error). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.
Link Removed due to 404 Error
We detect this imposter as Link Removed.
Fakeinit’s downloader not only installs the fake scanner component – it also monitors other running processes and attempts to terminate the ones it doesn’t like, claiming that they are infected:
Link Removed due to 404 Error

You can see a list of some of the terminated processes in the Link Removed.
Aside from this, it lowers a number of security settings in the registry, and changes the desktop background to display the following rather alarming message:
Link Removed due to 404 Error
It also modifies the registry in an attempt to prevent this background from being changed again.
Furthermore, it also downloads and installs a Link Removed component, and another Layered Service Provider (LSP) component, also detected as Trojan:Win32/Fakeinit. This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains, instead displaying the following:
Link Removed due to 404 Error
You can find a list of some of the blocked domains in the Link Removed.
- David Wood

Link Removed

I've seen this myself and it's quite a nasty one so be careful you guys....

 

[Celestra]

Very Frightening.....

 

[Mitchell_A]

We should always be wary of these "rogue" infections.
If you're not the most tech savvy user, look at it this way: if you didn't install it, it's probably fake.

If you do happen to catch a rogue infection, restart in Safe Mode (with networking), download a good malware program (I'd recommend MalwareBytes Anti-Malware and Spybot S&D).

One of the newest contestants is "Wireshark AV"
Link Removed

 

[Mike]

The introduction of false anti-virus applications is a major problem, most prominently in Windows XP. I have seen this issue time and time again on compromised systems. The result of the compromise is usually lax security on the network level - open ports on the router which could easily be identified using penetration testing, as well as incorrect Windows Firewall settings. The inability for organizations to keep up with the latest security updates for Windows will also create this result, as well as irresponsible browsing. There is a chance the system can still be salvaged after this problem occurs, but its security must now be considered suspect permanently, unfortunately. By using anti-malware, *good* anti-virus programs (NOD32, Kaspersky), as well as trojan removers, you can rid of the situation, usually in safe mode. However, I have seen some systems with hundreds of trojans and malware. In this case, a clean install becomes the only viable option if the organization is serious about information and network security

 

[Joe S]

In case you can't get it cleaned up or repaired it's a good idea to keep a current image of your OS handy. I also have the HD partitioned with OS on one and Data on other. I use Acronis True Image 2010 and made the bootable disk.
Joe

 

[Joe S]

Are these slipping onto the system using Adobe Flash by chance? MY nephew is learning disabled and only reads at a third grade level. He is not retarded. I've noticed lately that Avast seems to go off a lot in his search for videos. Most of his searches look like legit sites like looking for Utube videos.
On the other hand I know adult sites can switch you almost anyplace when you click, a fake looking video player comes up or a screen that says something about a security scan. Both of these seem to be triggers to install the malware. If I get anything strange I bring up the task manager and close the window. I know some of the popups are rigged so even if you select no it installs anyway.
Adobe isn't well regarded for security in their products either. It's pretty difficult to avoid Flash. I only use the Adobe Reader when absolutely required. I know in the past both have been major holes in security.
Joe