1. /
  2. Security Response/
  3. Trojan.FakeAV

Trojan.FakeAV

Risk Level 1: Very Low

Discovered:
October 10, 2007
Updated:
August 19, 2014 11:20:30 AM
Type:
Trojan
Infection Length:
7,680 bytes
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.

Clones
Trojan.FakeAV detects one of the most prolific types of risks seen on the Internet today. Everyday many bogus antivirus and security applications are released and pushed to unsuspecting users through various delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base but presented with a different name and look - achieved through the use of a "skin". For example, ThinkPoint is a recent example of a misleading application in circulation since October 2010.


Infection

Users may encounter this kind of threat when they visit Web sites that attempt to convince them to remove non-existent malware or security risks from their computers by installing the bogus software. The Trojan can also be installed by other malware, drive-by downloads, and when downloading and installing other software.

Users may be directed to these sites by way of the following methods:
  • Spam emails that contain links or attachments
  • Blogs and forums that are spammed with links to adult videos
  • User-generated content spam (e.g. fake videos)
  • Malicious banner advertisements
  • Pirated software (‘warez’) and pornography sites
  • Search Engine Optimization (SEO) poisoning
  • Fake torrent files or files on file sharing networks
  • Web pages containing exploits

The programs may also be downloaded on to the computer by other threats such as:


Functionality
These programs intentionally misrepresent the security status of a computer by continually presenting fake scan dialog boxes and alert messages that prompt the user to buy the product.

The programs often have an icon in the notification area of the operating system desktop and constantly display pop-up messages alerting the user about fake security issues such as virus infections. These pop-up windows only disappear once the user has purchased the product and the non-existent threats have supposedly been removed from the compromised computer.




If the user decides to purchase the product, they are presented with a form within the application or are redirected to a Web site that requests credit card information.


Affiliate information
It is estimated that a single vendor is likely responsible for approximately 80% of all misleading applications. The vendor recruits affiliates, who are then issued the task of spreading and distributing the misleading applications. The applications are often re-skinned and/or re-branded (‘cloned’). While the applications may vary in appearance, they all perform in the same manner, i.e. perform a 'scan' of the computer, report malicious objects, and prompt the user to purchase a full version of the program to remove the falsely reported threats.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.








PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.





SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures


Antivirus (heuristic/generic)


Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Protection System


Note: Definitions dated before October 5, 2009 may detect this threat as Trojan.Fakeavalert.

Antivirus Protection Dates

  • Initial Rapid Release version October 22, 2007 revision 040
  • Latest Rapid Release version December 24, 2014 revision 034
  • Initial Daily Certified version October 10, 2007 revision 023
  • Latest Daily Certified version December 24, 2014 revision 018
  • Initial Weekly Certified release date October 17, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: 50 - 999
  • Number of Sites: 10+
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Lowers security settings on the compromised computer.
  • Causes System Instability: May perform actions that prevents the user from accessing certain programs on the computer.

Distribution

  • Distribution Level: Low
Writeup By: Éamonn Young and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver