Threat Research & Response Blog
Anyone who’s seen a system infected by a rogue security program doesn’t need to be told how annoying they can be, as they attempt to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass and generally nag* the user into paying to register the fake software. And even among rogues, there are few that are quite as annoying as Win32/FakeScanti, which is this month’s addition to the Malicious Software Removal Tool (MSRT).
*I realize I’m being more than a little repetitive here. But this still pales in comparison to how repetitive your average rogue can get.
We first saw a variant of Win32/FakeScanti back in early March of this year, when it went by the name of ASC Antivirus. There was then very little activity on the FakeScanti front until late July, when we noticed a file, which we detect as TrojanDownloader:Win32/FakeScanti, downloading a new version of the scanner going by the name of Windows Antivirus Pro. This version was proactively detected by the signatures added in March. Since then there has been a steady stream of new files, but only one name change, to Windows Police Pro. Apart from the name change, the user interface, and even the list of alleged “malware” detected by this rogue, has remained identical:
FakeScanti has your usual grab bag of popups, system tray balloons, and dialog boxes (and there are many examples of these in our Win32/FakeScanti description) all reporting malicious activity, and recommending that the reported threats be removed. Of course, if you want this to happen, then naturally you have to pay:
These popups tend to pile up on the screen at a rapid rate, and dismissing any one of these results in the confirmation dialog below, which also needs to be closed. Notice how the placement of the Purchase and Continue buttons is swapped compared to the dialog above.
Win32/FakeScanti also uses a number of other tricks common to many other rogues, such as the display of a fake version of the Windows Security Center, or blocking access to certain web sites:
It uses a number of other methods in an attempt to convince users that the system is infected. These include:
It does this by associating the .exe extension with desot.exe, one of the files installed by Win32/FakeScanti. As a result, when an attempt is made to run one of these files, the filename is passed to desot.exe, which will decide whether it is allowed to run, and display a message box such as the one above if not.
The “Fix it” button launches the fake scanner. The other buttons do not do anything.
As we've mentioned before, if you're concerned about the veracity or legitimacy of a particular antivirus scanner, it's a good idea to check if the product in question has received any industry-recognized certification. Virus Bulletin VB100 is a good place to start, but there are other industry-recognized testing and certification bodies that are good for this kind of verification. If you're looking for security software for your computer, you could also visit http://www.microsoft.com/windows/antivirus-partners for a list of security software providers.
If you believe you are infected, we encourage you to use the Windows Live OneCare safety scanner to check your PC for malware and to help remove them from your system. In addition we encourage you to submit any suspicious files to the MMPC team for analysis. If you don’t already have active, up-to-date Anti-malware protection remember that our new security product - Microsoft Security Essentials – runs quietly in the background and never asks you for payment.