This month, MSRT takes on another prevalent rogue family. This one is called Win32/InternetAntivirus and, although it has dabbled with the names General Antivirus and Personal Antivirus*, it is usually easy to recognise by the moniker Internet Antivirus Pro.
 
Win32/InternetAntivirus screenshot

Win32/InternetAntivirus follows the familiar path of fake online scanner leading to the rogue downloader, which in turn installs the rogue itself. The online scanner looks like this:
 
Win32/InternetAntivirus fake online scanner
 
This rogue downloader that these pages want you to run also downloads a password stealer called TrojanSpy:Win32/Chadem. Win32/Chadem tries to grab FTP usernames and passwords that the rogue creators can then use to compromise servers in order to host more malware. They use new domain names every day, often registering multiple names at a time, like scanfan4.info, star4scan.info and scanstar4.info.
 
Win32/InternetAntivirus also installs a component to display messages in your browser, similar to the combination of Win32/FakeXPA and Win32/Yektel. And it displays a bogus Windows Security Center, which reports that Internet Antivirus Pro is "unable" (sic).
 
Win32/InternetAntivirus fake Security Center
 
This is all pretty normal rogue behaviour these days. As always, only use security software that has been tested by a trusted third party. Read this or the latest Security Intelligence Report (SIR) for more details on what to look out for.
 
-- Hamish O'Dea
 
* Not to be confused with Win32/FakeXPA, which also currently (mis)uses the name Personal Antivirus.