New Variants of Fake Anti-Virus Software

August 5, 2009

August 5, 2009

Rogue anti-virus software comes in many different names, some of which are Antivirus Plus, Advanced Virus Remover, Secret Service, Antivirus Agent Pro, etc. However, their behavior is very similar.

Once installed, the rogue software starts to scan the user's system immediately. After the scan, reports of non-existent threats are presented to the user as a scare tactic.

The reports usually contain many fake high risk infections that trigger the user to click the "remove threats" button on the anti-virus window. When this button is clicked, the user gets license or registration errors.

The user is forced to buy the software in order to remove the malware on the system. The licenses are sold on a website that is opened up when the user clicks the "get license" button. The websites usually offer huge discounts, lifetime support, money back guarantee, etc.

SonicWALL is blocking the 4 variants mentioned above with these signatures: GAV: SecretService_2 (Trojan), GAV: AntiVirusAgentPro (Adware), GAV: AdvancedVirusRemover.A_3 (Adware), GAV: AntiVirusPlus.KV (Trojan).

Here are screenshots of two fake AV software's main windows:

main1

main2

Here's how fake AVs report non-existent threats:

rep1

rep2

rep3

Here's how fake AVs try to sell their licenses:

lic1

lic2

lic3

SonicWALL UTM Research team is proactively scanning domains that host fake anti-virus variants. We create signatures for each variant we find.

Here are statistics for some of those signatures:

sig1

sig2

sig3