About Me

Avelino Rico Jr

Avelino Rico Jr

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

FakeAlert Trojan Holds Systems For Ransom

Tuesday, May 12, 2009 at 9:14pm by Avelino Rico Jr
Avelino Rico Jr

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

 

 

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (6)

  • Mark June 12, 2011 2:38AM

    This virus has landed on my PC and i managed to get Mcafee to run a full scan and clean up. but it has left my pc running slow and forces programs to crash shortly after starting. IS there something i should do. i am of a mind to reformat the hard drive and start again.

    Reply
  • S Godfrey May 22, 2011 10:06AM

    I had one of these and I am still trying to get rid of the trojan with Stinger.

    What a pain in the tooch! Not sure where this “malware protection” program came from but they made the icon look like Windows.

    I was able to go into safemode and restore so that I could free up my browsers and get Stinger installed. I forgot to turn off my system restore the first scan so they couldn’t be removed. but the second scan should.
    I run McAffee Total Protection and have all files checked real-time. Why did the program not catch it?

    Reply
  • j davis November 22, 2009 2:47PM

    As long as the laws dealing with this kind of fraud are weak scammers will continue to reap millions from unsophisticated users. Recently the FTC settled with James Reno of winfixer infamy for only $160,000. It has been estimated that the people behind this malware made in excess of $36 million!! As can be seen the law is no deterrent. Kind of like Keven Trudeau of infomercial scam fame. He regularly settles with the FTC and still makes millions. Prison time for these kinds of crimes should be mandatory–very serious prison time!! There is a very effective way to avoid being infected with rogue security programs–use a browser like Firefox that is less susceptible to malware—and— when the original rogue popup appears disconnect from the internet and restart. When I see one of these pop ups I shut my pc off manually and restart. When the rogue pop up appears DO NOT CLICK ANYWHERE ON THE DIALOG BOX!! If you do most of these rogues will do a drive by install regardless of your wishes. Even clicking the ‘x’ at the top of the dialog box can trigger an unwanted download.

    Reply
  • Mikus August 2, 2009 11:21PM

    Had this SS 2009 and b/c it quickly closes ANY program you open. Without being able to open programs like taskmanager or msconfig.exe to try and remove one or wo of it’s operating files one cannot go about stoping the SS 2009′s processes.

    I restarted in windows SAFE MODE and run [regedit] and deleted one or two of its registry files (HKLM/Software/Microsoft/Current Version/Run and also it’s 2009 support link which was in my Documents and settings/allusers/App Dat/user profile/satrt menu/programs/system Security 2009 link

    Then I used system restore and restored to a day earlier.

    Reply
  • Giovanni July 24, 2009 10:43PM

    use windows preinstallation enviroment:) thats how i got rid of it

    Reply
  • lynn mcdaniel June 20, 2009 4:39PM

    so far fake alert is holding 2 of m pcs for ransom andive downloaded spy doctor offline and it helped the other spyware take effect but the other pc wont clean up and i cant go online cause it has stopped me and i cant get into safe mode it skips that page completely its an older pc and wont download service pack 2 for me to get mcafee.

    Reply