MS Antivirus (malware)
Encyclopedia
MS Antivirus is a scareware
rogue anti-virus
which claims to remove fake virus infections found on a computer running Microsoft Windows
. It attempts to scam the user into purchasing a "full version" of the software.
MS Antivirus will also occasionally display fake pop-up alerts on an infected computer. These alerts pretend to be a detection of an attack
on that computer and the alert prompts the user to activate, or purchase, the software in order to stop the attack. More seriously it can paste a picture of a Blue Screen of Death
over the screen and then display a fake startup image telling the user to buy the software. The registry
is also modified so the software runs at system startup. The following files may be downloaded to an infected computer:
Depending on the variant, the files have different names and therefore can appear or be labeled differently. For example, Antivirus 2009 has the .exe file name a2009.exe.
In addition, in an attempt to make the software seem legitimate, MS Antivirus can give the computer symptoms of the "viruses" that it claims are on the computer. For example, some shortcuts on the desktop may be changed to link to pornography websites instead.
) nor critically harm a system. However, the software will act to inconvenience the user by frequently displaying popups that prompt the user to pay to register the software in order to remove non-existent viruses. Some variants are more harmful; they display popups whenever the user tries to start an application or even tries to navigate the hard drive, especially after the computer is restarted. It does this by modifying the Windows registry
. This can clog the screen with repeated pop-ups, potentially making the computer virtually unusable. It can also disable real antivirus programs to protect itself from removal. Whichever variant infects a computer, MS Antivirus always uses system resources when running, potentially making an infected computer run more slowly than before.
The malware can also block access to known spyware removal sites and in some instances, searching for "antivirus 2009" (or similar search terms) on a search engine will result in a blank page or an error page. Some variants will also redirect the user from the actual Google search page to a false Google search page with a link to the virus' page that states that the user has a virus and should get Antivirus 2009.
Antivirus 2009 can also disable legitimate anti-malware programs and prevent the user from opening or re-enabling them. Anti-malware applications disabled by Antivirus 2009 include McAfee
, Spybot - Search & Destroy
, AVG
, Malwarebytes' Anti-Malware
, and Superantispyware
.
MS Antivirus is constantly updated and re-released to prevent detection by common legitimate anti-virus scanners.
known as NeoN hacked the Bakasoftware's database, and posted the earnings of the company received from XP Antivirus. The data revealed the most successful affiliate earned USD$158,000 in a week.
(FTC). According to the FTC, the combined malware of WinFixer
, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus has fooled over one million people into purchasing the software marketed as security products. The court also froze the assets of the companies in an effort to provide some monetary reimbursement to affected victims. The FTC established claims that the companies established an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements.
According to the FTC complaint, the companies charged in the case operated using a variety of aliases and maintained offices in the countries of Belize
and Ukraine
(Kiev). ByteHosting Internet Services is based in Cincinnati, Ohio
. The complaint also names defendants Daniel Sundin, Sam Jain
, Marc D’Souza, Kristy Ross, and James Reno in its filing, along with Maurice D’Souza, who is named relief defendant
, for receiving proceeds from the scheme.
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
rogue anti-virus
Rogue software
Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware...
which claims to remove fake virus infections found on a computer running Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. It attempts to scam the user into purchasing a "full version" of the software.
Names
MS Antivirus has a number of other names. It is also known as XP Antivirus, Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Pro, Antivirus Action, Antivirus Pro 2009, Antivirus 2007, 2008, 2009, 2010, and 360, AntiMalware GO, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Spyware Protect 2009, Winweb Security 2008, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2008, XP AntiSpyware 2008, 2009 and 2010, Antivirus Vista 2010, Real Antivirus, WinPCDefender, Antivirus XP Pro, Anti-Virus-1, Antivirus Soft, Antispyware Soft, Antivirus System PRO, Antivirus Live, Vista Anti Malware 2010, Internet Security 2010, XP Antivirus Pro, Security Tool, VSCAN7, and Total Security.Symptoms of infection
Each variant has its own way of downloading and installing itself onto a computer. MS Antivirus is made to look functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to "purchase" it. In a typical installation, MS Antivirus runs a scan on the computer and gives a false spyware report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware ‘found’ and the user either has to click on a link or a button to remove it. Regardless of which button is clicked -- "Next" or "Cancel" -- a download box will still pop up. This deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase MS Antivirus. If the user decides not to purchase the program, then they will constantly receive pop-ups stating that the program has found infections and that they should register it in order to fix them. This type of behavior can cause a computer to operate more slowly than normal.MS Antivirus will also occasionally display fake pop-up alerts on an infected computer. These alerts pretend to be a detection of an attack
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
on that computer and the alert prompts the user to activate, or purchase, the software in order to stop the attack. More seriously it can paste a picture of a Blue Screen of Death
Blue Screen of Death
To forse a BSOD Open regedit.exe,Then search: HKLM\SYSTEM\CurrentControlSet\services\i8042prt\ParametersThen make a new DWORD called "CrashOnCtrlScroll" And set the value to 1....
over the screen and then display a fake startup image telling the user to buy the software. The registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
is also modified so the software runs at system startup. The following files may be downloaded to an infected computer:
- MSASetup.exe
- MSA.exe
- MSA.cpl
- MSx.exe
Depending on the variant, the files have different names and therefore can appear or be labeled differently. For example, Antivirus 2009 has the .exe file name a2009.exe.
In addition, in an attempt to make the software seem legitimate, MS Antivirus can give the computer symptoms of the "viruses" that it claims are on the computer. For example, some shortcuts on the desktop may be changed to link to pornography websites instead.
Malicious actions
Most variants of this malware will not be overtly harmful, as they usually will not steal a user's information (as spywareSpyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
) nor critically harm a system. However, the software will act to inconvenience the user by frequently displaying popups that prompt the user to pay to register the software in order to remove non-existent viruses. Some variants are more harmful; they display popups whenever the user tries to start an application or even tries to navigate the hard drive, especially after the computer is restarted. It does this by modifying the Windows registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
. This can clog the screen with repeated pop-ups, potentially making the computer virtually unusable. It can also disable real antivirus programs to protect itself from removal. Whichever variant infects a computer, MS Antivirus always uses system resources when running, potentially making an infected computer run more slowly than before.
The malware can also block access to known spyware removal sites and in some instances, searching for "antivirus 2009" (or similar search terms) on a search engine will result in a blank page or an error page. Some variants will also redirect the user from the actual Google search page to a false Google search page with a link to the virus' page that states that the user has a virus and should get Antivirus 2009.
Antivirus 2009 can also disable legitimate anti-malware programs and prevent the user from opening or re-enabling them. Anti-malware applications disabled by Antivirus 2009 include McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
, Spybot - Search & Destroy
Spybot - Search & Destroy
Spybot Search & Destroy is a popular spyware and adware removal program compatible with Microsoft Windows 95 and later. It scans the computer hard disk and/or RAM for malicious software....
, AVG
AVG
AVG may mean:* Albtal-Verkehrs-Gesellschaft, a public transport operator in the area of Karlsruhe, Germany* Ambulante Verslavingszorg Groningen, the main drug addiction treatment center in Groningen, Netherlands...
, Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a computer application that finds and removes malware. Made by Malwarebytes Corporation, it was released in January 2008...
, and Superantispyware
Superantispyware
SUPERAntiSpyware is a software application distributed as shareware which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications...
.
MS Antivirus is constantly updated and re-released to prevent detection by common legitimate anti-virus scanners.
Earnings
In November 2008, it was reported that a hackerHacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
known as NeoN hacked the Bakasoftware's database, and posted the earnings of the company received from XP Antivirus. The data revealed the most successful affiliate earned USD$158,000 in a week.
Court actions
On December 2, 2008 the U.S. District Court for the District of Maryland issued a temporary restraining order against Innovative Marketing, Inc. and ByteHosting Internet Services, LLC after receiving a request from the Federal Trade CommissionFederal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
(FTC). According to the FTC, the combined malware of WinFixer
WinFixer
WinFixerAlso known under various other names including: WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Windows Police Pro, Performance Optimizer, StorageProtector, PrivacyProtector, WinReanimator, DriveCleaner, WinspywareProtect, PCTurboPro, FreePCSecure,...
, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus has fooled over one million people into purchasing the software marketed as security products. The court also froze the assets of the companies in an effort to provide some monetary reimbursement to affected victims. The FTC established claims that the companies established an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements.
According to the FTC complaint, the companies charged in the case operated using a variety of aliases and maintained offices in the countries of Belize
Belize
Belize is a constitutional monarchy and the northernmost country in Central America. Belize has a diverse society, comprising many cultures and languages. Even though Kriol and Spanish are spoken among the population, Belize is the only country in Central America where English is the official...
and Ukraine
Ukraine
Ukraine is a country in Eastern Europe. It has an area of 603,628 km², making it the second largest contiguous country on the European continent, after Russia...
(Kiev). ByteHosting Internet Services is based in Cincinnati, Ohio
Cincinnati, Ohio
Cincinnati is a city in the U.S. state of Ohio. Cincinnati is the county seat of Hamilton County. Settled in 1788, the city is located to north of the Ohio River at the Ohio-Kentucky border, near Indiana. The population within city limits is 296,943 according to the 2010 census, making it Ohio's...
. The complaint also names defendants Daniel Sundin, Sam Jain
Sam Jain
Jain Shaileshkumar , better known as Sam Jain, is an internet entrepreneur and former CEO of affiliate marketing network eFront, who is currently a fugitive with an arrest warrant in California. In 2000, eFront submitted fraudulent data to Media Metrix, a website ranking publisher...
, Marc D’Souza, Kristy Ross, and James Reno in its filing, along with Maurice D’Souza, who is named relief defendant
Relief Defendant
In the US, and possibly other Common Law countries, a "relief defendant" or "nominal defendant" is a person named in civil litigation who is not accused of wrong-doing. However, it is alleged that the relief defendant has received property originally obtained illegally, and to which the relief...
, for receiving proceeds from the scheme.
External links
- XP Antivirus 2009 Description and Removal instructions on About.comAbout.comAbout.com is an online source for original information and advice. It is written in English, and is aimed primarily at North Americans. It is owned by The New York Times Company....