Antivirus Fraud 2008

2008 continues to live up to the title “The Year of Rogueware”. So far this year, bots, worms and viruses, all seem to live in the shadow of this type of activity. Users are actually trying to run this constantly changing stuff on their systems, with AV scanners missing them during their effective window ITW altogether. Rogueware themes are changing, the binaries change, and the websites change somewhat according to thematic content. You can see a lack of scanner detection here.

Accelerated numbers of “AntiVirus2008″ software installs are popping up, created by our familiar developer friends in the Ukraine (yes, that is sarcasm), which can be found at “hxxp://www.antivirus-scanner.com”. We’re seeing installs from a file named “antvrsinstall.exe”, which is dropping “antvrs.exe”. Here’s another fraudulent screenful from its distributors. There are no dangerous files or viruses detected on the system as they state, because the web site isn’t really scanning my system:

Quarantine it if you see a popup from threatfire, warning you of “PuA.Rogueware”.

This entry was posted in Online Fraud. Bookmark the permalink.

6 Responses to Antivirus Fraud 2008

  1. Schwartz says:

    The website you wrote about appeared in my browser when I tried to click on a friend’s MySpace profile. The website kept trying to get me to download the files, but I wouldn’t allow it, and ultimately I had to ctrl+alt+del my way out of the situaton.

    Question: though I never allowed it to download, should I nonetheless be worried about it having dumped something onto my harddrive?

  2. ThreatFire Blogger says:


    Thanks for your comment.

    Interesting concern that you have. These sorts of packages of fraudulent AV software traditionally have been delivered using client-side exploits, or the “drive-by” install. That activity seems to be waning a bit.
    Nonetheless, malicious sites don’t really dump things onto your hard drive, they actively exploit vulnerabilities in your system’s software.

    So simply visiting the web page can present risk — there is cause to pay some attention to your system here. Some questions to ask: is your system fully patched with the microsoft and third party updates (quicktime, etc)? was your system running security software when you visited the site? have you scanned your system with both av software and/or rootkit detections tools like ThreatFire and gmer?

    There are online volunteer-staffed boards like at castlecops.com and others offering help, or you could try taking your box to retailers like Best Buy for some paid tech help.
    While I cannot fully answer your question, because I have not seen the page you were redirected to, I am confident in saying that there is some cause for concern here. You may get some help at our forums
    as well. Look for “Viruses, Worms and Trojans” and “Spyware, Adware and Malware Discussion” boards. Good luck!

  3. codger says:

    Slight deviation… Yet another “Virus alert” arrived today Called “Postcard” checked on Snopes.com and they say genuine…
    Can you comment ?

  4. Christopher Schwartz says:

    Thanks for the help! I’ll make sure to look into this.

    It’s bloody well messed up that we have to be so vigilant about surfing the net.

  5. ThreatFire Blogger says:


    Sorry, I’m unsure of what you mean by “Yet another Virus alert arrived today Called Postcard”. Do you mean that it was named “Postcard” by an AV product?

    Anyways, the Storm gang is back to spamming out malicious links to users, which lead to “iloveyou.exe” type executables. If that’s what you mean, then yes, it could be malicious. As always, keep your Windows system patched (if you use Windows) and applications and sec products up to date as well.

  6. Anthony says:

    What shocks me is how those darn fraudulent websites can appear in the top 10 results of some searches

    (e.g. "Mario level editor")

    Surely Google have safeguards to prevent that type of thing from happening.
    Maybe there's a whole community of idiots taking advantage of google bombing
    If you try and leave they block you with javascript popups, (So like Schwartz I had to use task manager to force my way out of there).

    It just so irratating that there are jerks out there with nothing better to do with their lives than to destroy someone else's computer.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>