1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Fake App Attack: Fake AV Website 8

Fake App Attack: Fake AV Website 8

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects a fake antivirus scan page that displays false virus scan results.

Additional Information

This signature is designed to prevent access to sites that redirect users or perform actions to trick users into calling the scammer and installing misleading applications such as fake antivirus software.

The creators of misleading applications often use web pages with fake antivirus scanners in order to convince users to download and run an executable file. They may also use intermediate sites that redirect users from the site they are visiting to another one offering misleading applications for download.

Misleading applications such as fake antivirus scanners ("http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99" Trojan.FakeAV ) or bogus disk defragmenters ("http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-112113-1147-99" UltraDefraggerFraud) are designed to mislead users into thinking that their computer has serious problems that must be fixed by paying for a license of the software. For example, a fake antivirus scanner may perform fake scans of the hard disk and then report multiple non-existent threats. To remove the threats, the misleading application tells the user to purchase a license for the software which may amount to anything from forty to one a hundred dollars plus, depending on whether a "support" package is purchased or not. Of course the software and any support packages offered are bogus and will offer no help whatsoever in cleaning up the problem or protecting against any other threats.

Newer generations of misleading applications may also cause instability on the computer such as moving files around, hiding them, or preventing access to certain resources. This is done to coerce the user into buying the fake software.

Affected

  • Various operating systems

Response

No further action is required but you may wish to perform some of the following actions as a precautionary measure.
Run the Norton Power Eraser. (home users)
Run the Symantec Power Eraser. (business users)
Update your product definitions and perform a full system scan.
Submit suspicious files to Symantec for analysis.

If you believe that the signature is reported erroneously, please read the following:
Report a potential false positive to Symantec.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube