Sunday, August 22, 2010

Beware: Fake Microsoft Security Essentials Rogue

Further substantiation of the increasing popularity of Microsoft Security Essentials (MSE) is evidenced by the new five-in-one rogue reported by Microsoft MVP, Lawrence Abrams of Bleeping Computer. As illustrated by the image capture by Bleeping Computer, this rogue disguises itself as an alert from MSE.

Image and Description by Bleeping Computer:


"The fake Microsoft Security Essentials Alert is a Trojan that attempts to trick you into thinking you are infected so that you will then install and purchase one of 5 rogue anti-virus programs that it is distributing. When the Trojan is run it will masquerade as an alert from the legitimate Windows Microsoft Security Essentials Program anti-virus program. This alert will be titled Microsoft Security Essentials Alert and states that a Trojan was detected on your computer. It will list this Trojan as Unknown Win32/Trojan and state that it is a severe infection. It will then prompt you to clean your computer using the program in order to remove it. When you click on the Clean Computer or Apply actions button, it will state that it was unable to remove it and then prompt you to scan online. If you click on the Scan Online button it will list 35 different anti-virus programs, 30 of which are legitimate anti-virus programs and 5 that are rogues that the Trojan is distributing. These five rogue programs are:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpySafeguard or AntiSpy Safeguard

During this fake online scan only the 5 fake anti-virus programs listed above will state that this supposed Trojan is an infection. It does this to scare you into clicking the Free Install button next to them that will install the rogue program onto your computer and then reboot your computer. It should be noted that Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard, and AntiSpy Safeguard that this Trojan is distributing are exactly the same."

In the event you or someone you know is fooled by this rogue trojan, detailed removal instructions are available at Remove the Fake Microsoft Security Essentials Alert Trojan.

Follow-up Actions:
  • If additional assistance is needed to clean the computer, follow the posting instructions at one of these sites that provide Malware Removal Help.
  • Review the 4 Steps to Protect Your Computer and check that third-party programs such as Adobe Flash, Adobe Reader and Java are up-to-date.

, Rogue, Fraud

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Ludwig Keck said...

The "Go to original blog to view and post comments" links from Clubhouse do not work for this and prior posts of yours. For more info on this please contact me.

Ludwig Keck said...

On two machines in my family a similar rouge managed to get past MSE on three occasions. Is there any information available on how the rouge gets in or where it might come from?
On one machine the cure was to revert to a prior restore point from safe mode.

Corrine said...

Hi, Ludwig.

Thank you for the information about the Microsoft Clubhouse link. I submitted a support request in the Clubhouse forum.

Unfortunately, there is no simple answer to your question regarding how rogues get in. In some situations, we have found that it was because of outdated/vulnerable 3rd party software software (i.e. Java). (Even if the latest version is installed, an old version may still be in Add/Remove programs)

Drive-by installs -- going to an infected website (innocently via search results) is another source. Landing on the page results in a very realistic-looking message that the computer is infected or a window advertising security update software. Clicking an advertisement on a webpage is another source.

Unfortunately, when faced with the rogue window to install or scan with the so-called security software, clicking "cancel" or the "x" is useless as those buttons are programmed to mean the same as "Ok". Using Task Manager to end the process may stop it.

You and your family members may find the Microsoft videos reproduced in my blog post helpful: Fake Security Programs -- Rogues.