Windows 7 If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?

kemical

Windows Forum Admin
Staff member
Premium Supporter
Microsoft MVP
#1
Wednesday, February 24, 2010 9:44 PM by mmpc
If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?


Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long.
This one calls itself “Security Essentials 2010” and looks something like this:

For the record, this is how the real Microsoft Security Essentials appears when it has detected a threat (in this case, Win32/Fakeinit):


As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.

We detect this imposter as Trojan:Win32/Fakeinit.
Fakeinit’s downloader not only installs the fake scanner component – it also monitors other running processes and attempts to terminate the ones it doesn’t like, claiming that they are infected:


You can see a list of some of the terminated processes in the TrojanDownloader:Win32/Fakeinit description.
Aside from this, it lowers a number of security settings in the registry, and changes the desktop background to display the following rather alarming message:

It also modifies the registry in an attempt to prevent this background from being changed again.
Furthermore, it also downloads and installs a Win32/Alureon component, and another Layered Service Provider (LSP) component, also detected as Trojan:Win32/Fakeinit. This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains, instead displaying the following:

You can find a list of some of the blocked domains in the Trojan:Win32/Fakeinit description.
- David Wood

Microsoft Malware Protection Center : If it calls itself

I've seen this myself and it's quite a nasty one so be careful you guys....
 


Celestra

Former Moderator
#2
Very Frightening.....
 


Mitchell_A

Essential Member
#3
We should always be wary of these "rogue" infections.
If you're not the most tech savvy user, look at it this way: if you didn't install it, it's probably fake.

If you do happen to catch a rogue infection, restart in Safe Mode (with networking), download a good malware program (I'd recommend MalwareBytes Anti-Malware and Spybot S&D).

One of the newest contestants is "Wireshark AV"
http://free-pc-guides.com/virus-rem...wireshark-antivirus-virus-removal-guide-03452
 


Mike

Windows Forum Admin
Staff member
Premium Supporter
#4
The introduction of false anti-virus applications is a major problem, most prominently in Windows XP. I have seen this issue time and time again on compromised systems. The result of the compromise is usually lax security on the network level - open ports on the router which could easily be identified using penetration testing, as well as incorrect Windows Firewall settings. The inability for organizations to keep up with the latest security updates for Windows will also create this result, as well as irresponsible browsing. There is a chance the system can still be salvaged after this problem occurs, but its security must now be considered suspect permanently, unfortunately. By using anti-malware, *good* anti-virus programs (NOD32, Kaspersky), as well as trojan removers, you can rid of the situation, usually in safe mode. However, I have seen some systems with hundreds of trojans and malware. In this case, a clean install becomes the only viable option if the organization is serious about information and network security
 


Joe S

Excellent Member
#5
In case you can't get it cleaned up or repaired it's a good idea to keep a current image of your OS handy. I also have the HD partitioned with OS on one and Data on other. I use Acronis True Image 2010 and made the bootable disk.
Joe
 


Joe S

Excellent Member
#6
Are these slipping onto the system using Adobe Flash by chance? MY nephew is learning disabled and only reads at a third grade level. He is not retarded. I've noticed lately that Avast seems to go off a lot in his search for videos. Most of his searches look like legit sites like looking for Utube videos.
On the other hand I know adult sites can switch you almost anyplace when you click, a fake looking video player comes up or a screen that says something about a security scan. Both of these seem to be triggers to install the malware. If I get anything strange I bring up the task manager and close the window. I know some of the popups are rigged so even if you select no it installs anyway.
Adobe isn't well regarded for security in their products either. It's pretty difficult to avoid Flash. I only use the Adobe Reader when absolutely required. I know in the past both have been major holes in security.
Joe
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.