Fake Alert Uses McAfee-like Domain Name to Attract Victims

Cybercriminals love to use social engineering techniques to trick users into installing their malware. One of the latest fake-alert variants attempts to trick users into believing the software is related to or hosted by McAfee: mcafeevirusremover.com.

With DAT release 5835 (December 17) McAfee detects the HTML code for the domain as FakeAlert-KW!htm and the associated Trojan as FakeAlert-KW. The script hosted by the domain can attack the Windows browsers Internet Explorer, Mozilla Seamonkey, and Chrome. The script also affects browsers on Linux platforms.

This fake-alert variant is hosted on at least 13 other known domains. McAfee’s Trusted Source blocks the IP addresses and the domains (including DNS and mail servers) associated with this Trojan. For example:

The infection begins by redirecting the victim to the domain hosting the Trojan script code. This website is designed to look like Windows Explorer in Windows XP. It “reports” multiple infections on the victim’s computer:

If the user clicks anything within the browser, the FakeAlert-KW Trojan will download. Once it is installed, the Trojan offers a graphical interface designed to appear as a legitimate security application reporting multiple infections on the victim’s computer:

Infected machines will also suffer a barrage of pop-up balloons from the System Tray warning of various problems that require the user to register the software for a fee to “clean” the system:

Remember to update your McAfee products to ensure you are protected from these threats.