The family added to the July MSRT release is Win32/FakeSpypro. As is often the case with rogues, they employ the use of multiple "names" over time. The current branding used by Win32/FakeSpypro is "Antivirus System PRO" with the previous incarnation being "Spyware Protect 2009".

The "user interface":

 

Typically, Win32/FakeSpypro assaults the user with a barrage of system tray warnings, fake firewall messages and other pop-ups displaying fake warning messages.



The ultimate goal of course is the part the end user with their money. On websites which look like the following, you may purchase a copy of Win32/FakeSpypro for the princely sum of $49.95 US!

Win32/FakeSpypro also drops and installs a browser helper object (BHO). This component is able to redirect queries to internet search engines such as "live.com". The redirection is performed selectively, such as when a search term like "antivirus" is used. The user will then be presented with a fraudulent warning page in the browser such as the one displayed below:

Win32/FakeSpypro may arrive on a system via different paths. For example, It may be dropped by Win32/Preald, downloaded by Win32/Branvine, Win32/Bredolab or even downloaded by prevalent spam bots such as Win32/Waledac and Win32/Cutwail. The MMPC has also observed Win32/FakeSpypro being installed via common exploit "kits" in the wild.

--Scott Molenkamp