Monday, June 15, 2009

Anatomy of a Scam

A few months back, my shop suddenly started seeing a spike in the number of infections of a fake antivirus product called XP Antivirus 2008. No exaggeration, there was a point where people were bringing in 3 or more systems per day because of this infection. Programs like it have been generating revenue for my Geekonomic Stimulus Plan since about 2003 so I was both saddened and glad to hear that the FCC had recently busted some of the criminals behind this scam. My sadness at seeing this source of income evaporate was premature. They are back under a new name but it’s the same old scam.
This stuff goes by a few different names: Winfixer, XP Antivirus 2008, XP Antivirus 2009, Antivirus 360 and, most recently, XP Police Antivirus and Spyware Protect 2009.
These programs are a class of rogue anti-spyware programs that use false scan results and aggressive pop-up ads to motivate you send them some money. Your antivirus program may identify them as the Vundo Trojan. One of the coolest things about this Trojan is that it blocks the installation of software that can be used to remove it so that the average computer user is forced to contribute money to either the scammers or someone like me who can remove it.
You infect your computer by trying to view certain types of internet videos. When you click on these types of videos, you may be asked to install a “codec” that will allow you to view the video. If you click on OK to install the codec you, in effect, give this stuff permission to install on your computer. Because of that, legitimate antivirus products are generally ineffective in preventing the infection.
Once installed, Antivirus 360 will start being obnoxious as soon as you start Windows. You will see a constant barrage of false security alerts stating that your computer has a variety of security risks. These risks range from files being modified to “illegal porn” alerts. These alerts are false and are only being shown to further scare you into buying their product when in fact the Antivirus 360 program is the actual infection. These alerts coupled with the Vundo Trojan will cause your computer to operate slower and slower until it eventually becomes inoperable.
All these shenanigans are an attempt to get you to whip out your credit card and send these people $49.95 for their bogus software. However, when you try to register it you are also offered an upgrade to File Shredder 2008, for only $39.95. This software is bogus software as well. Authorities are generally powerless to stop these people since they generally members of the Russian Mafia or live in the Ukraine where laws governing this stuff are lax.
If you are infected with this stuff, your choice is to deal with the Russian mafia or me. Choose wisely, comrades. If you want to try to tackle this yourself, we recommend a free product called Malwarebytes' Anti-Malware. It’s available from

No comments: