We've seen a few rogue security programs use elements of legitimate security software in order to try to make themselves appear more authentic. It was inevitable that Microsoft Security Essentials would be the target of this kind mimicry. While some rogues have simply copied Security Essentials' name, others have gone further by imitating elements of the Security Essentials user interface. By far the most prevalent of these is Win32/FakePAV, which is this month's addition to the MSRT family list.

When FakePAV sees an attempt to run certain programs, it displays a fake Security Essentials alert dialog.

Imitation Microsoft Security Essentials alert displayed by Win32/FakePAV

At first glance, there is very little that differentiates this from a real Security Essentials alert, beyond the bogus malware name ("Unknown Win32/Trojan"). You can close the window, but in a crude attempt to emulate the behavior of real-time malware blocking, FakePAV also terminates the program that it reports as a threat. This effectively means you can't run programs in FakePAV's kill list, including Internet Explorer and other common web browsers. This kind of technique has become extremely popular with rogues and serves the dual purpose of making the claims of infection more convincing and making the machine harder to use without registering the rogue.

Predictably, FakePAV's behavior differs greatly from Security Essentials' when you ask it to clean what it has found. FakePAV claims that it can't remove the threat and prompts you to "scan online".

Imitation Microsoft Security Essentials alert displayed by Win32/FakePAV

It then pretends to scan the file again. Earlier variants of FakePAV would display bogus results from a list of anti-virus scanners, including legitimate ones, but invariably only five fictional scanners were reported to actually detect the threat:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpy Safeguard

The rogue would even go as far as to display a different GUI depending on which "scanner" you chose to install. Current variants of FakePAV don't even provide the illusion of choice. They claim that you need to install AV software and that "ThinkPoint" will be installed as soon as the machine is rebooted.

Fake "solution found" window displayed by Win32/FakePAV

By this point the rogue has replaced explorer.exe as the machine's default shell, which means after reboot you see the rogue's "ThinkPoint" GUI instead of your desktop, taskbar and start menu. From here the experience is similar to most other rogues, with "ThinkPoint" pretending to run its own scan before reporting multiple threats that you need to buy the full version of the scanner to remove.

ThinkPoint scanner GUI displayed by Win32/FakePAV

The affected machine is now even more difficult to use; in addition to stopping explorer.exe from running, it terminates task manager, leaving no easy way to run any other programs. If your computer has been infected by Win32/FakePAV, you can terminate it's process by following these instructions.

Win32/FakePAV has only been around since August, but it has already become prevalent through typical rogue distribution methods, including search engine optimization (SEO), malicious ads and installation by other malware such as Win32/Harnig. Several elements of the rogue's modi operandi indicate that it was produced by the same group that produced Win32/PrivacyCenter. At this stage the rogue method for making money is pretty well established; imitating Microsoft Security Essentials is an example of the kind of slow evolution we are seeing as rogue makers try to convince more people to pay in the hope that it will make their computer behave normally again.

If in doubt, you can get the real Microsoft Security Essentials from http://www.microsoft.com/security_essentials/. And remember that it’s free for genuine Windows users and offers comprehensive malware protection; it won’t upsell you.

-- Hamish O'Dea