Wednesday, September 30, 2009 7:54 AM
cmosby
Rebranded Rogue Anti-Virus Strikes Again – McAfee Avert Labs Blog
Rebranded Rogue Anti-Virus Strikes Again
Wednesday September 30, 2009 at 12:16 am CST
Posted by Avelino Rico Jr
Recently, we analysed samples of a new fake anti-virus program that brands itself as “Alpha Antivirus”. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.
“Alpha Antivirus” is a new FakeAlert variant evolved from the “Personal Antivirus” family of rogue anti-virus software. Like many FakeAlert malware, “Alpha Antivirus” promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimics a “Windows Explorer” folder and a “Windows Security Alert” dialog, and performs a free but fake online scanning of the affected system.
The following domains were known to host the fake online scanning web pages and the main executable of “Alpha Antivirus“:
- mycompinfo17.com
- internetantivirusproscanner.com
- mycomputeronlinescan11.com
- internetsecurityscan.com
- mycompscanner07.com
- mycompscanner42.com
- internetantivirusproscan.com
- windowsdefenderupdate5.com
- securitybugfixupdate6.com
It follows to prompt the user to install “Alpha Antivirus” . Once executed, it launches fake scanning and reports multiple infections:
It also displays misleading pop-up warnings on the Windows taskbar.
This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a Browser Helper Object (BHO).
(%ProgramFiles% refers to the Programs folder, e.g. X:\Program Files; where X: refers to the Windows installation drive)
AlphaAV.exe is detected as FakeAlert-DI while msnaoladdon.dll is detected as FakeAlert-EQ.
Frequently, we see abrupt changes in branding, filenames and GUIs used by the same fake anti-virus programs. As more security vendors and researchers publish their findings about new rogue antivirus programs, malware authors try to repackage their “products” with new brand names, filenames and tries to use more obfuscation and encryption on its files in an attempt to avoid being recognised by the end users and in some cases evade detection by security vendors.
Some known brand name and filename changes:
1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), then again, to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)
2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)
3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus).
4. From Spyware Protect 2009 to Antivirus System Pro
As a gentle reminder to all users, avoid visiting untrusted websites and install anti-malware product from only trusted and legitimate sources and update the DATs regularly.