Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long.

This one calls itself “Security Essentials 2010” and looks something like this:

Fke scanning interface displayed by Win32/Fakeinit

For the record, this is how the real Microsoft Security Essentials appears when it has detected a threat (in this case, Win32/Fakeinit): 

Real Microsoft Security Essentials scanning interface
 
As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.

Activation dialog displayed by Win32/Fakeinit

We detect this imposter as Trojan:Win32/Fakeinit.

Fakeinit’s downloader not only installs the fake scanner component – it also monitors other running processes and attempts to terminate the ones it doesn’t like, claiming that they are infected:

Fake warning alert displayed by Win32/Fakeinit


You can see a list of some of the terminated processes in the TrojanDownloader:Win32/Fakeinit description.

Aside from this, it lowers a number of security settings in the registry, and changes the desktop background to display the following rather alarming message:

Desktop background set by Win32/Fakeinit

It also modifies the registry in an attempt to prevent this background from being changed again.

Furthermore, it also downloads and installs a Win32/Alureon component, and another Layered Service Provider (LSP) component, also detected as Trojan:Win32/Fakeinit. This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains, instead displaying the following:

Message displayed by Win32/Fakeinit when affected user attempts to visit a specified domain

You can find a list of some of the blocked domains in the Trojan:Win32/Fakeinit description.

- David Wood