Thanks to Andrew O’Donnell of SophosLabs for his behind-the-scenes work on this article.
There’s a new fake support scam in town, hiding behind a file calling itself
Microsoft Security Essentials, and it’s trying to trick victims into contacting bogus help centers.
The malware, known to Sophos as Troj/Diztakun-A (Microsoft calls it Hicurdismos), is strangely reminiscent of what many readers will know as lockscreen ransomware from back in 2012.
Lockscreen ransomware froze your computer with a web page that tried to squeeze you into paying a “fine”, often for alleged copyright infringement or porn-viewing “offences”, after which the lock screen would be removed.
Malware of this sort, such as the once-widespread Reveton, did its best to stop you switching away from the lockscreen, so that you couldn’t hack your way out of trouble using system tools such as Task Manager.
With Diztakun, the principle is similar but the outcomes are different.
Diztakun locks you up at a fake Blue Screen of Death (BSoD) screen, but instead of demanding payment via a web page, it kindly suggests that you might want to call for technical support, handily providing a toll free number to call.
These days, BSoDs are thankfully much rarer than they were, and usually vanish quickly of their own accord when your computer reboots automatically, but that’s not what happens with Diztakun.
The malware does the following so that you’ll think your system is truly locked up:
- Shows a frozen mouse cursor.
- Disables Task Manager to stop you from terminating the process.
- Fills the screen with the fake BSoD image.
Who’s at risk?
Microsoft Security Essentials is Microsoft’s anti-malware component for Windows 7 and earlier.
In Windows 8.1 and Windows, 10, you get Windows Defender instead; some users might not be aware of that, and assume that by installing a utility called Security Essentials, they’d be increasing their security rather than infecting themselves.
Whatever you do, if you see the fake BSoD above, don’t call the number! That won’t fix anything.
Instead, you’ll end up connected to a fake support call scammer, and your troubles will only get worse.
What to do?
When you need help with your computer, turn to someone you know, like and trust.
In this case, when we say “someone you know,” we mean “someone you’ve actually met in person,” as opposed to just online.
On Windows 10, Windows Defender is built in, so there’s no need to install Microsoft Security Essentials.
Tech support scams aren’t going away anytime soon, so keep an eye out for those that mimic real Windows messages.
And remember that old-school scams, where the crooks cold-call you instead of waiting for you to contact them, aren’t going away anytime soon, either.
For those classic attempts to con you out of your money, check out our brief podcast about how to hang up and stay safe:
DEALING WITH FAKE SUPPORT CALLS
Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.
(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)
How to remove Dizaktun by hand
A few commenters asked about removing the specific sample described here by hand, so here’s how.
This sample described above installs itself as:
C:\Windows\Bluesquarez LLC\Sysprotector\Microsoft Security Essentials.exe
Deleting this file will remove the fake BSoD lock, but beating the malware to the punch after logging out and back in is tricky, because the fake BSoD appears again quickly.
Fortunately, however, Diztakun sets itself to run automatically only when the user who first ran the malware file logs back in.
If you have more than one user set up on your computer, you can log out and back in as a different user and should then be able to find and remove the abovementioned file.
If not, this worked for us on Windows 10:
Ctrl-Alt-Delat the fake BSoD to get back to the logon control screen.
- Click the power-off icon, hold down
- At the
Choose an optionscreen, click
- Log in with your usual username and password.
- At the command prompt, switch to the C: drive and delete the abovementioned file.
exitto return to
Choose an optionand click
If you’re unfamiliar with the command prompt, this is how it goes (with the parts you type in shown in highlighted text):
When you log back in and next try to run Task Manager, you will probably see a popup telling you that Task Manager has been turned off:
To fix this you will need to delete this registry entry:
You can do this using the Registry Editor; if you don’t have experience with this utility, you may want to ask a friend (but see above!) for help.