Rebranded Rogue Anti-Virus Strikes Again

Recently, we analysed samples of a new fake anti-virus program that brands itself as Alpha Antivirus. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.

Alpha Antivirus is a new FakeAlert variant evolved from the Personal Antivirus family of rogue anti-virus software. Like many FakeAlert malware, Alpha Antivirus promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimic a Windows Explorer folder and a Windows Security Alert dialog, and perform a free but fake online scanning of the affected system.

The following domains were known to host the fake online-scanning web pages and the main executable of Alpha Antivirus:

• mycompinfo17.com
• internetantivirusproscanner.com
• mycomputeronlinescan11.com
• internetsecurityscan.com
• mycompscanner07.com
• mycompscanner42.com
• internetantivirusproscan.com
• windowsdefenderupdate5.com
• securitybugfixupdate6.com

The software prompts the user to install Alpha Antivirus. Once executed, it launches fake scanning and reports multiple infections:

It also displays misleading pop-up warnings on the Windows taskbar.

This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a browser helper object.

(%ProgramFiles% refers to the Programs folder, for example, C:\Program Files.)

AlphaAV.exe is detected as FakeAlert-DI, while msnaoladdon.dll is detected as FakeAlert-EQ.

Frequently, we see abrupt changes in branding, filenames, and GUIs used by the same fake anti-virus programs. As more security vendors and researchers publish their findings about new rogue anti-virus programs, malware authors try to repackage their “products” with new brand names and filenames and try to use more obfuscation and encryption on their files in an attempt to avoid being recognised by users and in some cases evade detection by security vendors.

Some known brand name and filename changes:

1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), and again to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)

2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)

3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus)

4. From Spyware Protect 2009 to Antivirus System Pro

As a gentle reminder to all users: Avoid visiting untrusted websites, install anti-malware products only from trusted and legitimate sources, and update the DATs regularly.