McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 

McAfee Research Blog

Rebranded Rogue Anti-Virus Strikes Again

September 30th, 2009

Recently, we analysed samples of a new fake anti-virus program that brands itself as Alpha Antivirus. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.

Alpha Antivirus is a new FakeAlert variant evolved from the Personal Antivirus family of rogue anti-virus software. Like many FakeAlert malware, Alpha Antivirus promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimic a Windows Explorer folder and a Windows Security Alert dialog, and perform a free but fake online scanning of the affected system.

online scanning

The following domains were known to host the fake online-scanning web pages and the main executable of Alpha Antivirus:

  • mycompinfo17.com
  • internetantivirusproscanner.com
  • mycomputeronlinescan11.com
  • internetsecurityscan.com
  • mycompscanner07.com
  • mycompscanner42.com
  • internetantivirusproscan.com
  • windowsdefenderupdate5.com
  • securitybugfixupdate6.com

The software prompts the user to install Alpha Antivirus. Once executed, it launches fake scanning and reports multiple infections:

Alpha AV

Alpha AV

It also displays misleading pop-up warnings on the Windows taskbar.

Alpha AV

Alpha AV

This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a browser helper object.

(%ProgramFiles% refers to the Programs folder, for example, C:\Program Files.)

AlphaAV.exe is detected as FakeAlert-DI, while msnaoladdon.dll is detected as FakeAlert-EQ.

Frequently, we see abrupt changes in branding, filenames, and GUIs used by the same fake anti-virus programs. As more security vendors and researchers publish their findings about new rogue anti-virus programs, malware authors try to repackage their “products” with new brand names and filenames and try to use more obfuscation and encryption on their files in an attempt to avoid being recognised by users and in some cases evade detection by security vendors.

Some known brand name and filename changes:

1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), and again to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)

2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)

3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus)

4. From Spyware Protect 2009 to Antivirus System Pro

As a gentle reminder to all users: Avoid visiting untrusted websites, install anti-malware products only from trusted and legitimate sources, and update the DATs regularly.

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.