Today we found a Russian-language version of the PC Defender Antivirus rogue security product. It isn’t really new since it’s been in VIPRE detections. What is new in this version is that it is targeting Russian-speaking victims. In the past we’ve seen a conscious effort on the part of rogue authors NOT to target Russians. The accepted theory there is that authorities in Russia tolerate miscreants who use the Internet as long as they only prey on foreigners.
On install, a fake blue screen appears saying “the problem seems to be in your antivirus software” inferring, of course, that you should shut it down.
(Click on graphic to enlarge)
Running the MSI installer immediately reboots the victim’s computer and he or she gets the userinit registry hijacking entry:
REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\pcdef.exe"
The folder that was created and files dropped in it match our earlier detection for PCDefenderAntivirus although this is a Russian language version.
PC Defender Antivirus then pretends to find malicious code from a (non existent) gay porn site on the victim’s machine in order to frighten him or her into purchasing this useless application.
PC Defender Antivirus graphic interface.
Of course this is only a trial version (“пробная версия”)
(Click on graphic to enlarge)
Fake alert screen:
опасность! (Danger)
(Click on graphic to enlarge)
Under the porn image (which we’ve covered up) is the Russian text “этот вирус возможно с сайта.” That translates to “the virus probably came from this site.”
The site (gay-porn-world.net) that the alleged malware came from doesn’t exist:
How to remove PC Defender Antivirus:
If PC Defender Antivirus has infected your pc, you should remove it immediately. Click here to use VIPRE to remove PC Defender Antivirus from your computer now.
No comments:
Post a Comment