Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » Fake Antivirus


Threat Risk HIGH HIGH
Destructivity Unknown UNKNOWN
Payload Downloads other malware, may disable antivirus software and block access to web security sites
Detection files published
Description created 25 Apr 2010 02:02:00
Description updated 10 May 2010 02:02:00
Malware type TROJAN
Spreading mechanism EMAIL

Fake Antivirus


Fake antivirus' most used spreading mechanism is drive-by infections from visiting web sites. One popular technique is to manipulate search engines to display search engine results using search words that are "hot" to display web sites that are infected by fake antimalware. Such words are f.ex. big media events and other issues that people usually search for. See this article for more information about such techniques.
Another technique is propagation through malicious advertisements.
Google has investigated the web sites that are used to spread fake antimalware and concludes that the time that these web sites are online is getting increasingly shorter. The reason why is obviously to avoid being detected by the different technologies that are developed for safe browsing.
When email is used to spread the malware, the scheme is usually to use social engineering techniques to trick users into downloading malicious software and/or visiting web sites with malicious content.

Payload Details

When a computer is infected by fake antimalware a warning like the one below is displayed:

(Image not available)

The idea is to trick infected users into purchasing the the fake antivirus product by displaying information that the computer is infected even if it is not.
Some of the rogue security programs may display product names or logos in an apparently unlawful attempt to impersonate legitimate product. Some versions also disable legitimate antivirus programs, and block Internet access to security sites.
The fake antimalware products often downloads other malware components, which in turn may download other and update themselves with new/updated modules. The result is that the malware is difficult to remove and may be quite persistant in its attempts to convince the users to buy the product.

Fake antimalware products usually look quite convincing and professional. Here are a few examples:

(Image not available)

Antivirus 2010 Pro
(click image to enlarge)

(Image not available)

Spyware Protect 2009
(click image to enlarge)

More details

For details about specific variants of fake antimalware we refer to the following descriptions:

AntiVirus2008 W32/FakeSpyPro




The different variants of fake antimalware often download lots of different other malware, which in turn may download further malware components. A full cleaning of infected systems may therefore be difficult.

Last Updated: 12 Nov 2015 11:06:12