The following article is a compilation from various sources, attributed at the bottom of the post, and describes Rogue Security Software also known as Win32/FakeSecSen, how you get it, and what it looks like and does. The principal objective of all these types of rogue softwares is data collection.
How to remove it will be the subject of another post.
These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs, such as Trojan:Win32/Antivirusxp
may display product names or logos in an apparently unlawful attempt to impersonate Microsoft products. These products may represent themselves as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.
In case you haven’t heard the term before, this is software that tells you that your system is crawling with bad stuff (for free!) and then offers to remove it for you (that’ll cost you). Of course the stuff they report is completely bogus; they are incapable of finding any real malware. What’s more they can be very insistent, repeatedly displaying popup warnings that make it virtually impossible to use your machine unless you pay to “register” the program. Apart from extorting money from innocent people, which is bad enough, this behaviour adds to the amount of FUD (fear, uncertainty and doubt) in the online community. As a virus researcher who’s spent more than ten years fighting real malware, this annoys me. Some even trade on the reputations of legitimate software vendors to help sell their scam. One such rogue that we’ve been seeing in high numbers is something we call Win32/FakeSecSen
, and is this month’s addition to the Malicious Software Removal Tool (MSRT
). FakeSecSen is a classic example of a rogue security scanner. It is distributed in a variety of different ways. One is through web sites that might look like this:
Another way is via malware that downloads the rogue directly. It is quite common for links to both the rogue web sites and the rogue downloaders to be distributed via spam, in cookies, or as a "drive-by" pickup. IT is not always neccesary to have "clicked" on anything in particlar to get this bug. If you see a pop-up advising you you have an infection, the best response is to immediately close all browser windows from the Taskbar. Closing the pop-up by clicking the "X" or pressing "cancel" on the window is often a trigger for a silent install.
An interesting, but not unusual, characteristic of Win32/FakeSecSen is that it uses many different disguises. As well as further contributing to the level of FUD and making them harder to keep track of, this might broaden their appeal to a wider audience – while one person may be convinced by something called “Ultimate Antivirus”, another would be more likely to install “Vista Antivirus 2008”. It may even lead to the same person being duped by the same rogue more than once. Here’s a list of names Win32/FakeSecSen has gone by recently:
Vista Antivirus 2008
Ultimate Antivirus 2008
Micro Antivirus 2009
Windows Antivirus 2009
Ultra Antivirus 2009
Each of these variants uses slightly different file and directory names, but underneath they are virtually identical. The most significant difference is immediately apparent when you run a couple of them:
The makers of this rogue have gone to significant effort to make it easy for them to change the look of their interface. Most of the interface elements are represented using GIF and JPEG images stored inside the file’s resources; in other words, it is “skinable”. For more examples of FakeSecSen’s various “skins”, have a look at our encyclopedia entry
You may notice that some of FakeSecSen’s skins look similar to the Windows Security Center. This is no coincidence. FakeSecSen even goes as far as adding its own imitation Security Center applet to the control panel, usually called “MS AV”, which just launches the fake scanner.
Symptoms may exhibit themselves in a variety of ways. The most obvious are visible symptoms such as unexplained icons, pop-ups or unidentified program links in your startup menu :-
or changes to registry settings
Symptoms vary among different distributions of Program:Win32/FakeSecSen, however, the presence of the following system changes (or similar) may indicate the presence of this program:
Some say imitation is the sincerest form of flattery, but for anti-malware providers like Microsoft, the trust and confidence of our customers is vital and we hate to see anyone taken in by this sort of thing. So please use a real anti-malware product - check with an independent testing authority, like Virus Bulletin
to make sure it’s legitimate.