1. Symantec/
  2. Security Response/
  3. Trojan.FakeAV


Risk Level 1: Very Low

October 10, 2007
August 19, 2014 11:20:30 AM
Infection Length:
7,680 bytes
Systems Affected:
Trojan.FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.

Trojan.FakeAV detects one of the most prolific types of risks seen on the Internet today. Everyday many bogus antivirus and security applications are released and pushed to unsuspecting users through various delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base but presented with a different name and look - achieved through the use of a "skin". For example, ThinkPoint is a recent example of a misleading application in circulation since October 2010.


Users may encounter this kind of threat when they visit Web sites that attempt to convince them to remove non-existent malware or security risks from their computers by installing the bogus software. The Trojan can also be installed by other malware, drive-by downloads, and when downloading and installing other software.

Users may be directed to these sites by way of the following methods:
  • Spam emails that contain links or attachments
  • Blogs and forums that are spammed with links to adult videos
  • User-generated content spam (e.g. fake videos)
  • Malicious banner advertisements
  • Pirated software (‘warez’) and pornography sites
  • Search Engine Optimization (SEO) poisoning
  • Fake torrent files or files on file sharing networks
  • Web pages containing exploits

The programs may also be downloaded on to the computer by other threats such as:

These programs intentionally misrepresent the security status of a computer by continually presenting fake scan dialog boxes and alert messages that prompt the user to buy the product.

The programs often have an icon in the notification area of the operating system desktop and constantly display pop-up messages alerting the user about fake security issues such as virus infections. These pop-up windows only disappear once the user has purchased the product and the non-existent threats have supposedly been removed from the compromised computer.

If the user decides to purchase the product, they are presented with a form within the application or are redirected to a Web site that requests credit card information.

Affiliate information
It is estimated that a single vendor is likely responsible for approximately 80% of all misleading applications. The vendor recruits affiliates, who are then issued the task of spreading and distributing the misleading applications. The applications are often re-skinned and/or re-branded (‘cloned’). While the applications may vary in appearance, they all perform in the same manner, i.e. perform a 'scan' of the computer, report malicious objects, and prompt the user to purchase a full version of the program to remove the falsely reported threats.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Protection System

Note: Definitions dated before October 5, 2009 may detect this threat as Trojan.Fakeavalert.

Antivirus Protection Dates

  • Initial Rapid Release version October 22, 2007 revision 040
  • Latest Rapid Release version February 16, 2018 revision 023
  • Initial Daily Certified version October 10, 2007 revision 023
  • Latest Daily Certified version February 16, 2018 revision 007
  • Initial Weekly Certified release date October 17, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Éamonn Young and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube