A nasty spyware cleaner (read fraud!)

The definition of malware according to Google web definitions is a program or file that is designed to specifically damage or disrupt a system. Generally when we think malware, we think viruses, worms, trojans, or spyware. So what is the best way to protect yourself against malware? Get an anti-virus or anti-spyware program of course! Ever wondered if that trial spyware/malware cleaner you just downloaded and ran on your computer itself could be malware?

We at SophosLabs quite often come across fraudulent spyware/malware cleaning programs. Typically these cleaners offer a free scan of your computer, report a whole bunch of clean files as infected, and try to scare you into purchasing their product. Normally these programs can be uninstalled using Add or Remove Programs, and end of story.

Recently I came across Troj/FakeVir-AK which showed all the classic characteristics of a fake spyware/malware cleaner. After reporting my computer was severely infected (a spyware program reporting viruses and trojans?) things started to get nasty.

Fake antispyware main window

The spyware took complete control over my test machine. It prevented me from starting any new programs, accessing any files using Explorer, even running any command line tools! It changed my desktop wallpaper with a message which read: “WARNING! YOUR PC IS INFECTED! The virus installed on your computer can steal your passwords, accounts of credit cards and to intercept pressing keys and to send them on e-mail.”

Finally my monitor displayed this message:


I hit the only smart button I could imagine, “EXIT”, which fired up my default browser and attempted to take me to a secure webpage where I could purchase the full version of this anti-spyware cleaner.

A peek inside one of the files installed by our fraud spyware cleaner had told me that it was going to intercept me accessing bank webpages, PayPal , eBay, and some popular email sites. But until now I had no way of firing up a browser or indeed any program. So I took the liberty of attempting to access PayPal instead of purchasing the anti-spyware cleaner, and as expected a message flashed warning me that all my information was about to be stolen by some virus.

The moral of the story is that you should not download and run anything from the internet unless you absolutely trust its authenticity. Even programs which appear to be good Samaritans can hide nasty alter-egos.