Printer Friendly Page

Discovered: October 10, 2007
Updated: August 19, 2014 11:20:30 AM
Type: Trojan
Infection Length: 7,680 bytes
Systems Affected: Windows

Trojan.FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.

Trojan.FakeAV detects one of the most prolific types of risks seen on the Internet today. Everyday many bogus antivirus and security applications are released and pushed to unsuspecting users through various delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base but presented with a different name and look - achieved through the use of a "skin". For example, ThinkPoint is a recent example of a misleading application in circulation since October 2010.


Users may encounter this kind of threat when they visit Web sites that attempt to convince them to remove non-existent malware or security risks from their computers by installing the bogus software. The Trojan can also be installed by other malware, drive-by downloads, and when downloading and installing other software.

Users may be directed to these sites by way of the following methods:

  • Spam emails that contain links or attachments
  • Blogs and forums that are spammed with links to adult videos
  • User-generated content spam (e.g. fake videos)
  • Malicious banner advertisements
  • Pirated software (‘warez’) and pornography sites
  • Search Engine Optimization (SEO) poisoning
  • Fake torrent files or files on file sharing networks
  • Web pages containing exploits

The programs may also be downloaded on to the computer by other threats such as:

These programs intentionally misrepresent the security status of a computer by continually presenting fake scan dialog boxes and alert messages that prompt the user to buy the product.

The programs often have an icon in the notification area of the operating system desktop and constantly display pop-up messages alerting the user about fake security issues such as virus infections. These pop-up windows only disappear once the user has purchased the product and the non-existent threats have supposedly been removed from the compromised computer.

If the user decides to purchase the product, they are presented with a form within the application or are redirected to a Web site that requests credit card information.

Affiliate information
It is estimated that a single vendor is likely responsible for approximately 80% of all misleading applications. The vendor recruits affiliates, who are then issued the task of spreading and distributing the misleading applications. The applications are often re-skinned and/or re-branded (‘cloned’). While the applications may vary in appearance, they all perform in the same manner, i.e. perform a 'scan' of the computer, report malicious objects, and prompt the user to purchase a full version of the program to remove the falsely reported threats.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Protection System

Note: Definitions dated before October 5, 2009 may detect this threat as Trojan.Fakeavalert.

Antivirus Protection Dates

  • Initial Rapid Release version October 22, 2007 revision 040
  • Latest Rapid Release version November 12, 2019 revision 009
  • Initial Daily Certified version October 10, 2007 revision 023
  • Latest Daily Certified version November 04, 2019 revision 065
  • Initial Weekly Certified release date October 17, 2007

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software

2. Infection method
2.1 Spam email
2.2 Social networking
2.3 Search engine poisoning
3. Functionality
3.1 Pop-up messages
3.2 Fake antivirus scans
3.3 Clones
4. Additional functionality
4.1 Fake loss of desktop
4.2 Fake restarts
4.3 Fake system errors
4.4 Blocking execution of programs
4.5 Mimicking well-known antivirus brands
4.6 Bogus reviews and awards
4.7 Professional looking product pages
4.8 Multiple language user interface
4.9 Live online support
5. Additional information
5.1 Affiliates
5.2 Resources

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Users should be aware that email messages with malicious content may appear to have been sent by people known to them, and as such the fact that the sender is known does not guarantee the safety of any particular message.

Spam emails may contain malicious links that have been disguised or otherwise made to appear benign. Users should exercise caution when following links in email messages, especially if:

  • The sender is not known
  • Given the sender, the characteristics of the email are unusual
  • The link is to an unknown domain or an executable file

Users should avoid opening email attachments unless their authenticity can be verified.

The downloading of files using peer-to-peer file-sharing networks can lead to infection. Users should avoid downloading files from unknown or untrustworthy sources, including fake video Web sites that may serve the Trojan executable under the guise of it being a codec that is required to watch a streaming video.

Users can mitigate the risk of infection by being careful about clicking links found on Web sites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online Web site rating services such as to see if the site is deemed safe to visit.

When performing searches in search engines, users should treat any results returned with caution and double-check them before following the links. If pop-up advertisements are displayed, users should not click on them or follow any links within them.

Users offered an unfamiliar security product by way of pop-up messages or other similar methods while browsing the Web, should exercise extreme caution and, if in doubt, not download and install the software. It is generally safer to buy from a well-known or trusted brand site or buy a product that can be physically bought from a local shop.

The following file names are commonly used for the installer components of Trojan.FakeAV. Users should avoid downloading and running programs with file names that are the same or similar to those listed below:
  • Av.exe
  • Ave.exe
  • Contract.exe
  • Ecard.exe
  • Eticket.exe
  • Install.exe
  • Invoice.exe
  • Msa.exe
  • Msb.exe
  • Postcard.exe
  • Settings.exe
  • Video[1].exe

1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.

This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.

2.1 Spam email
Spam email is one of the primary methods used to distribute programs of this nature. Contents of spam emails are frequently changed and updated. The following are some representative samples of the types of emails that are used for propagation of these programs.

Update for Microsoft Outlook / Outlook Express (KB910721)



A new settings file for the [EMAIL ADDRESS]@ [DOMAIN].com has just be released

Email body
Dear use of the [DOMAIN].com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox [EMAIL ADDRESS]@ [DOMAIN].com settings were changed. In order to apply the new set of settings open this file:

http://[DOMAIN NAME]/settings.exe
Best regards, [DOMAIN].com Technical Support.


Conficker.B Infection Alert

Email body
Dear Microsoft Customer,

Starting 12/11/2009 the 'Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division


Known topics used
Symantec has observed the following topics used in spam emails used to distribute variants of this threat family:
  • Security upgrades
  • The Conficker (Downadup) worm

2.2 Social networking
With the use of social networking sites growing at such an explosive rate, it was inevitable that malware authors would attempt to utilize these services as a way to reach a wider audience. Facebook and Twitter profiles have been hacked in order to post updates pointing to sites that host misleading applications. The lure in these cases may include popular videos or content of a pornographic nature.

2.3 Search engine poisoning
Vendors of these programs can often take advantage of high profile news items or events that may be commanding considerable interest on the Internet and in the media. In fact, it is an unfortunate and now repetitive trend that whenever a newsworthy story breaks, it is inevitably followed by malware surfing the crest of information lust surrounding such stories. Recent examples include:

Icelandic volcano (search results)

Rozlyn Papa (sample video link)

Chilean earthquake (search results)

Californian earthquake (search results)

Hawaii tsunami (search results)

Tiger Woods motoring accident
Vendors of fake security software often take advantage of interest generated by major events on the world stage, such as major disasters, sporting events, celebrity scandals, and so on.

When such events occur, the interest is often mirrored on the Internet by way of increased Web searches for keywords relating to those events. For example, during the Tiger Woods incident in November 2009, search terms related to the event – including the names of the people involved in the incident and the area where they lived – became some of the top terms searched for in well-known search engines. The authors of the misleading applications wasted no time to take advantage by poisoning the search engine results.

When a user searches for these terms, results containing malicious links may be returned. When clicked on, they may be redirected to a site that hosts a misleading application.

The most popular search terms at any given time are recorded here by Google. These terms may result in poisoned search engine results that may ultimately lead to sites that host these misleading applications .

A poisoned search engine link may present the user with the option of watching a video that relates to the topic they have searched for. However, this video will not play immediately.

Instead, the user will be instructed to download and run a file in order to watch the video. This file may be portrayed as a codec, a Flash installer file, or an ActiveX control, when in fact it is a copy of a misleading application.

In other cases, the poisoned search result will redirect the browser to a Web site that hosts a fake online security scanner, which attempts to perform a fake scan within the browser window. The fake scan is designed to look like a legitimate Windows operating system window. The fake scan window may include icons, progress bars, and names of drives and folders that commonly exist on computers with Windows installed.

When the fake scan has completed, the program then displays a list of falsely detected files.

The fake scan windows mimic the look and feel of different versions of the Microsoft Windows operating system, including Windows XP, Windows Vista, and Windows 7.

The user may then be instructed to purchase the software in order to remove these falsely reported threats.

Symantec has produced a video that illustrates several of the infection techniques discussed in the above section. The video also demonstrates some of the devious tricks that the threat can use in order to increase the apparent severity of the fake detections.

The previous section described several of the techniques that vendors use in order to introduce the program on to the user’s computer, and once installed the program may then immediately begin its deceptive actions.

3.1 Pop-up messages
These program attempt to convince the user to purchase a license for the application in order to remove various falsely reported threats. It may display pop-up alerts requesting that the user allow the program to perform a scan of the computer. These pop-up alerts are periodically displayed until the user allows the program to perform the scan.

3.2 Fake antivirus scans
When the user decides to allow the program to initiate a scan of the computer, the scan may operate in a number of ways:
  • Some applications perform a fake scan with variable results, but always detect at least one malicious object.
  • Some applications do actually scan the computer, but use a database filled with clean objects that are reported as malicious entities.
  • Some applications create their database of malicious entities by parsing security vendor writeups for infection artifacts.
  • Some applications may drop files that are then ‘detected’.

After the scan has been performed, the user is presented with a number of files – always at least one – that have supposedly been detected as malware.

Once the program has reported the alleged existence of threats on the compromised computer, the user may be informed that the version of the program they are using is a trial version and must be activated in order to remove these falsely reported threats.

The user is required to purchase a license to activate the software at a typical cost of up to US $100. The activation price may depend on the duration of the license and/or whether ‘technical support’ is included.

3.3 Clones
These misleading applications are constantly cloned and rebuilt with new user interfaces, which are built to a high standard in order to appear professional.

The following are some examples of misleading applications in circulation at the time of writing.




The programs may also often employ various techniques in order to frustrate, frighten, and annoy the user into paying for a license for the program.

4.1 Fake loss of desktop
SecurityToolFraud periodically causes the compromised computer to restart. After it restarts the program overlays a black window over the desktop making it appear as if the desktop, icons, and wallpaper have been deleted.

4.2 Fake restarts
Antivirus2010 displays the following misleading image to the user claiming that their version of the misleading application is unregistered. The image makes it appear as though the computer is restarting, but in fact, the computer does not restart – it is merely an animated image that is displayed by the program.

4.3 Fake system errors
Another trick, which has been employed by a misleading application named NortelAntivirus , is to display a ‘blue screen of death’ (BSOD). Rather than actually causing a BSOD, however, the program simply displays a fake animation similar to that shown by Windows when a genuine error is encountered.

4.4 Blocking execution of programs

SecurityToolFraud has a feature to intercept requests to run applications such as Notepad and falsely reports that Notepad.exe is infected, in this case with Lsas.Blaster.Keyloger. After it reports the infection the program window is closed, effectively performing a denial of service preventing the program from being accessed. The misleading application may carry out this type of action on many different common applications such as MsPaint and Regedit.

4.5 Mimicking well-known antivirus brands
NortelAntivirus has been designed to have the same appearance as Norton Antivirus. Clones of other well-known antivirus products are also known to exist.

4.6 Bogus reviews and awards
Vendors may create Web sites containing bogus reviews of the misleading applications. The Web sites may declare that the misleading application performs better than other well-known antivirus brands. They can also falsely claim that the product has received several prestigious awards and positive reviews from various recognized software magazines.

4.7 Professional-looking product pages
In order to further convince the user to purchase the product, many of these applications also have a professionally designed product Web page. These Web sites borrow techniques and content from legitimate antivirus vendor Web sites to make them appear authentic.

4.8 Multiple language user interface
Some versions even provide multiple language support in their user interface in order to increase the perception that they are legitimate applications.

4.9 Live online support
To further demonstrate the professionalism behind the operations of the misleading application scams, some versions even have live online support staffed by real humans. Symantec has published a blog article that describes how some misleading application vendors provide live online support, actually staffed by humans, to help convince unwitting users to part with their hard-earned cash. This further demonstrates how well developed this scam business model has become.

In summary, all of these tricks add up to a powerful and effective arsenal of techniques that the misleading application pushers can call upon to further their aims.


5.1 Affiliates

It is estimated that one vendor is responsible for approximately 80% of all misleading applications. The vendor is known by many aliases, including the following names:
  • Bakasoftware
  • Pandora Software
  • New Concept Business S.L.
  • Innovagest 2000

The vendor or their affiliates create the Web sites that host and distribute the misleading applications. It is common for these affiliates to sub-contract some work to further affiliates. This way, by the time the program is installed on a computer, it may have been re-packaged with other malware (which has been included by the affiliates).

The involvement of the affiliates can vary from creation to final production of the fake security software, and may include any of the following roles:
  • Application programmer – The role of the programmer is to write and maintain the code base that is used in the program.
  • Designer – The role of the designer is to design the user interface and alert windows of the program.
  • Packer creator – The role of the packer creator is to generate ways to avoid antivirus detection.

Applications are often rebranded as clones. The clones can take any of the following formats:
  • The same user interface (UI) can have a different code base
  • The same code base can have a different UI
  • Different custom packers can be used

The clones are released daily to weekly and the code bases can change anywhere from weekly to monthly. The affiliates are responsible for distributing the misleading applications using the techniques discussed earlier.

5.2 Resources
For more information relating to this threat family, please see the following resources:


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Éamonn Young and Eric Chien