I came upon this installer today called “Microsoft Virus Fix”. Being somewhat curious, I proceeded to run the application and the following message appears:
Ok. I was somewhat underwhelmed (not impressed) by the application’s appearance. In fact, it already tells me that this application is highly dubious and is likely to be malwarish in nature.
To begin with, it is littered with several spelling and grammatical mistakes.
But “more” importantly, as every Microsoft Windows user knows, the application “doesn’t use up enormous amounts of system memory”. And of “horror of horrors”, there are also no traces of any fancy or flashy doohickeys within the user interface (the user-interface appears to be done by someone with a passing knowledge of Visual Basic). *wink*
Delving further into the application, the following message is shown:
Now we definitely know this is a fake. No self respecting Microsoft programmer would use cheesy names like “Yoyodyne”, “Ty coon”, “James Hacker” and “President of Vice” as examples. I know many a programmer who have been guilty of making bad puns (myself included) but this is taboo territory here.
Oh, incidentally, we detect the installer as W32/IRCBot-AEG. A quick static analysis also yields the malware author’s not-so-intelligent project workspace settings (“Fake Fix\Project 1.vbp” anyone?) (please click on the picture to see an enlarged image).
In short, we know this application to be fake. That’s because to have Microsoft release such a utility tool is, in the words of the Sicilian criminal genius Vizzini in the movie, The Princess Bride, simply “Inconceivable!”