Microsoft warns of malicious antivirus, 'Security Essentials 2010'

By on February 26, 2010, 3:15 PM
Microsoft announced on Wednesday that malware writers are creating malicious applications with a similar name, look and feel to the company's legitimate security software (Microsoft Security Essentials) -- a popular and long-used method of preying on inexperienced users. The fake antivirus is called "Security Essentials 2010" and contains the Trojan Win32/Fakeinit.


Once installed, the malware downloads and installs a fake scanner that monitors processes and terminates ones it doesn't like, claiming they are infected. It also lowers some security settings in the registry, and changes the desktop background to display the warning seen below while modifying the registry to prevent the wallpaper from being altered.

Continue reading...

Furthermore, it downloads and installs Win32/Alureon and another Layered Service Provider component, which monitors TCP traffic sent by Web browsers and blocks certain domains, instead displaying this message. Naturally, the malware also requests that users pay for a subscription to use a "full version" of the software.

If you've been duped by "Security Essentials 2010," Microsoft's legitimate antivirus is available for free and can clean your system. Grab your download: Windows XP 32-bit, Windows Vista/7 32-bit, Windows Vista/7 64-bit. If you need further assistance, feel free to swing by TechSpot's Virus and Malware Removal forum.




User Comments: 35

Got something to say? Post a comment
TomSEA TomSEA, TechSpot Chancellor, said:

I think they ought to lop off fingers of people they catch putting this stuff out (and spammers). Pretty soon, if they can't type, then they can't pollute the internet with these trojans and viruses.

fwilliams said:

Microsoft is a virus. Eliminate the virus and everything will be OK.

mattfrompa mattfrompa said:

I have already had to remove an instance of this from a friend of my brothers...she had an expired edition of Norton on there as well. But because she knew when it started I was able to just boot into system restore and that got rid of it. I then of course ran it through windows update, installed MSE and MBAM, and after they scanned clean I felt confident that the malware was gone for good.

Guest said:

Had a friend with an updated version of Norton. Installed Microsoft Security Essentials on her machine and it found a backdoor trojan. So much for Norton.

Vicenarian said:

Hey, while on the topic of effective anti-virus software, I just have to recommend Avast. The home edition is free, and with the new update it received a month or so back, the interface finally looks and works fantastic! If you haven't tried the new interface, you just have to. It's great. Of course, many people/websites rate Avira as having the highest detection rates, but with the new interface, I much prefer Avast.

Combined with Avast's real-time scanning and other shields, its boot time scan ability, and the fact the Home edition is free, let's just say I install it on every computer I own.

Guest said:

"Of course, many people/websites rate Avira as having the highest detection rates, but with the new interface, I much prefer Avast."

So you prefer lower detection rate just as long as your AV software look cool??

Nice!

/sarcasm.

j4m32 said:

@vicenarian: Yeah avast is good in my opinion. Has a good combination of tools and has a boot time scan option which is very good for first time users who're experiencing problems.

if you are super paranoid Kerio Personal Firewall wouldn't even let you run Notepad without authentication let alone open a port (Though I think the company is now named Sunbelt)...

The three other tools I use for ridding of malicious trash from peoples machines are:

Security Task Manager for showing up processes or modules (DLLs) which maybe injected into existing processes like Internet Explorer or Explorer in general.

The next is using Dr Delete (Freeware app) that shedules file deletes upon system boot before Windows fully loads since U can track that all down from the file names. Most stuff resides in the system directories that will certainly exist on any Windows (specifically NT in this case) installation.

The next thing is optional: a dissassembler or dependency viewer included in MS Dev can reveal some info about the operation of modules which maybe being used as well as key strings in the malicious files. Removed many a complex registry problem by doing that where the binary is not packed with anything special enables you to see exactly what changes are being made.

captaincranky captaincranky, TechSpot Addict, said:

Combined with Avast's real-time scanning and other shields, its boot time scan ability, and the fact the Home edition is free, let's just say I install it on every computer I own.

Odd, I thought the EULA specified 1 copy, 1 computer, 1 owner.

Microsoft is a virus. Eliminate the virus and everything will be OK.
This is constructive. Did we have a bad day in special ed?

red1776 red1776, Omnipotent Ruler of the Universe, said:

This is constructive. Did we have a bad day in special ed?

your on my brain wave again Cap.

eafshar said:

first time i came to techspot was when my old laptop was infected with some torjan..after seeing the helpful and informed people here i have been hooked ever since.

eafshar said:

sry for the double post.. but i think you guys should do a weekend forum poll on what anti-virus,..etc people use.

windmill007 said:

Great Protection....Pay for Malwarebytes and it's real-time protections blocks IP's addresses that contain the spyware so you never even have a chance of getting infected. That on top of Microsoft Security Essentials is a GREAT combo IMO.

Vicenarian said:

@Guest

No, I prefer avast regardless of the interface. However, Avast's interface prior to the update was not very user-friendly for novice computer users. I find Avast works exceptionally well combined with a decent firewall. If I was looking for an enterprise level solution of course, I would be purchasing a PAID antivirus. But, for home use, Avast wins hands down in my opinion. Combined with common computing sense, a person doesn't really need anything more.

Vicenarian said:

Or you could just install Linux...

Vickeych said:

I just heard about it. Don't be afraid. Because i just download some software at the official website.

Staff
Rick Rick, TechSpot Staff, said:

vicenarian said:

Or you could just install Linux...

^ Silly rhetoric often posted by people who don't use Linux themselves.

I agree this a potential solution, but it isn't fool proof either ( http://www.linux-sec.net/Exploits/ ) and comes with a whole other set of baggage ( [link] ) for users to deal with.

Guest said:

I've found Linux to be more stable AND attacked by hackers less, as well as having more features & choices than Windows (the only real "set of baggage" I've found is TOO MANY choices for some types of programs, and not yet compatible with some chat programs & my old games (and most new games from Id Software, EA Sports, & similar major brands)...but with high-quality & free games that work in any browser, or made by Linux users, I still haven't found myself wanting to return to Windoze). Yes, no system is "foolproof" Rick, you can only IMPROVE in these 3 areas --stability, security, and features-- but never PERFECT them.

I use Linux to serve sound, hulu(etc) videos, & home-automation to every room in my house, along with ethernet+WiFi network to 6 desktops & laptops, and nearly everything else that a "power user" could want. I typically run RAID-1 on user-files and RAID-0 for better (write) speeds on all other partitions, something impossible in Winblows, along with FDEncryption...and my config settings for every app I use is not "rolled-back" like System Restore does whenever you need to use Sys Restore; instead, I can reinstall the OS & programs w/out removing my config files (stored in the partition with my user-files... but...

I've NEVER had the whole Linux OS freeze-up or BSOD, in 2 years of usage (if anything freezes it's limited to one app, and that app often can be re-started w/out a reboot, unlike Windoze). In contrast, XP & Vista froze-up _at least_ once a month until I replaced them; friends & relatives have fared no better with Winblows, on average.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

BTW Rick, the article you link to (linuxfonts.narod.ru) says that Linux's sound projects are in disarray, but then linuxfonts.narod.ru "cites" the following link as "proof," despite that it says the OPPOSITE of linuxfonts.narod.ru contention: "State of Sound Development On Linux NOT So Sorry After All" http://linux.slashdot.org/article.pl?sid=09/06/19/1937210

. . . i.e. you're going by FALSE hearsay from linuxfonts.narod.ru, which is obviously an unreliable source, and frankly your soure is an ***** to say "See, Linux audio is 'inreliable,' here's proof (from a source that says Linux audio is GREAT)".

. . . so it sounds like you're the one commenting about Linux without actually USING Linux, Rick.

Staff
Rick Rick, TechSpot Staff, said:

. . . so it sounds like you're the one commenting about Linux without actually USING Linux, Rick.

Hi Guest,

I do actively run/use Linux (not on my main PC though). My comment about Linux's 'baggage' comes with a heavy heart -- it's sad but true, though.

Maybe 'my source' isn't reliable, but it wasn't meant to be some infallible exhibit of how awful Linux is... Even so, there are many thousands of substantial examples outlining how Linux isn't as awesome as you say it is.

If you've installed and used Linux for any period of time, you know it too. I like it, I like the idea of it and it works great for some small cross section of users and systems, but no matter how much you'd like it to be, this year isn't the year of the Linux desktop...

hughva said:

I use Netbook remix on my Dell Mini and Ubuntu 9.1 on a spare desktop that's many years old and a perfect candidate for Linux. I like the thought of keeping this PC out of the landfill and getting more use out of it.

I've had more than one issue with both installations, but I can't say I've had more problems than I've had with Windows.

A stable Linux install has a lot going for it, especially due to the price and relative freedom from Viruses/Malware. The downside is the necessity of being a nerd/geek to solve issues. Of course, that's not much different than windows either.

RebelFlag said:

fwilliams said:

Microsoft is a virus. Eliminate the virus and everything will be OK.

If you have nothing useful to add, please try and refrain from reminding all of us that you are a *****.

AmpFeare said:

all the microsoft products from this category that i have used have all sucked, security essentials will randomly rape my cpu for a bit for no reason, and it has VERY LITTLE options to tweak how the program runs, same with windefender :/ bring back ms antispyware.

boyese said:

I use kaspersky internet security, not had any problem with it. Users get this from having no internet security/out dated software.

Which sites do these users go to get this stuff installed?

mrtraver said:

I think I have finally broken my parents and my mother in law of clicking these links. They now call me if anything pops up they are not familiar with, and sometimes i can use remote assistance to see what they are talking about.

SNGX1275 SNGX1275, TS Forces Special, said:

My dad once got infected after a malicious pop-up said he had a virus and he clicked through and did what it wanted. I would have thought he learned his lesson, but just last week he called and said he got a message his computer had a bunch of infections, at least this time he just unplugged from the internet without clicking through and installing stuff.

Guest said:

Wow, I have to say, be careful. I have kaspersky internet security actively running on my computer. I was on a legitimate website about how to design blog templates. I downloaded nothing. I accepted nothing. Am a very wise to the ways of "internet tricks" and all of a sudden it popped up. The security 2010 issue. Of course, even though it does look very microsoft legit, I didn't trust it from the get go because I've had my computer 3 years and never had any software on it that resembled this - but it actually installed an icon in my control panel. I did possibly consider that maybe microsoft loaded this virus program in my last update. But then I did click a link to close it and it took me to a page to purchase the program. I didn't click anything else at that point concerned of activating anything. And I opened my browser (I had already closed it) and it gave me an error page that stated it wouldn't let me go further do to security threats. It didn't look like the cheesy black warning screen above. It still looked very legit. BUT it didn't make sense. MS isn't going to load a program onto my computer in an update that blocks my browsing and then makes me pay to "fix" my computer before I can do anything else. At that point I ran kasperky update to get the latest (which was only 24 hrs old at the time) virus file. And I ran a complete scan on my computer - it didn't find anything. So, I didn't touch anything. I went to my laptop to research what hijacked my computer. My computer shut down and rebooted (which it is prone to do when a MS update comes in - I now know I need to change that setting). When it came back up - and I log in - the only thing that comes up is the security 2010 program with the link to "upgrade" so that it can fix the "Detected problems". Nothing else appeared on my computer - no start menu - nothing. So I shut down and log into a different user. It actually loads proper. I don't go anywhere near my browser. We went to the store and bought a backup drive and I'm backing up all my personal files while researching what this thing is to get rid of it - which is how I found this page.

So Mr. Glass House - before you throw stones - I was actively running the security program you have and on a legitimate website and it happened to me. Luckily I am taking care of it. It seems to me that no virus programs seem to find everything. I downloaded MSE onto my USB and loaded it on my computer and am currently running it, but after that I'm gonna do the 8 tests and get some help. Cause obviously this program doesn't find everything.

hughva said:

Now you know the difference between Viruses and Spyware.

In any case, nothing can protect you from yourself. Once you clicked, you were toast.

You may have some luck by using Malawarebyte, if the spyware will let you run it.

jjmgs1005 said:

I run vipre from sunbelt. Their software doesn't hog system resources and they are reasonable priced for their home additional. Staying to legitimate sites and being aware of what you click on will go a long way to helping keep your computer free of virus. Unfortunately no matter how well protected or how careful you are there is always a chance of getting infected with something.

captaincranky captaincranky, TechSpot Addict, said:

Wow, I have to say, be careful. I have kaspersky internet security actively running on my computer. I was on a legitimate website about how to design blog templates. I downloaded nothing. I accepted nothing. Am a very wise to the ways of "internet tricks" and all of a sudden it popped up. The security 2010 issue. Of course, even though it does look very microsoft legit, I didn't trust it from the get go because I've had my computer 3 years and never had any software on it that resembled this - but it actually installed an icon in my control panel. I did possibly consider that maybe microsoft loaded this virus program in my last update. But then I did click a link to close it and it took me to a page to purchase the program. I didn't click anything else at that point concerned of activating anything. And I opened my browser (I had already closed it) and it gave me an error page that stated it wouldn't let me go further do to security threats. It didn't look like the cheesy black warning screen above. It still looked very legit. BUT it didn't make sense. MS isn't going to load a program onto my computer in an update that blocks my browsing and then makes me pay to "fix" my computer before I can do anything else. At that point I ran kasperky update to get the latest (which was only 24 hrs old at the time) virus file. And I ran a complete scan on my computer - it didn't find anything. So, I didn't touch anything. I went to my laptop to research what hijacked my computer. My computer shut down and rebooted (which it is prone to do when a MS update comes in - I now know I need to change that setting). When it came back up - and I log in - the only thing that comes up is the security 2010 program with the link to "upgrade" so that it can fix the "Detected problems". Nothing else appeared on my computer - no start menu - nothing. So I shut down and log into a different user. It actually loads proper. I don't go anywhere near my browser. We went to the store and bought a backup drive and I'm backing up all my personal files while researching what this thing is to get rid of it - which is how I found this page.

So Mr. Glass House - before you throw stones - I was actively running the security program you have and on a legitimate website and it happened to me. Luckily I am taking care of it. It seems to me that no virus programs seem to find everything. I downloaded MSE onto my USB and loaded it on my computer and am currently running it, but after that I'm gonna do the 8 tests and get some help. Cause obviously this program doesn't find everything.

No. Kaspersky or anything else doesn't find everything. These types of attacks are called "Social Engineering" and they count on the fact the we all our onn worst enemies

What you experienced may have been enabled via "cross site scripting". A safety precaution you can take with respect to this is by using the Firefox browser, and obtaining an add-on called "NoScript". Everybody's browsing habits are different of course, but, I believe using this extension I've, "walked through the valley of the shadow of death", so to speak, without incident.

As to the source of your infection, I think somebody else recently said their son got the computed infected @ Wikipedia. Hmm, but we really don't know if junior was being totally forthright, now do we?

As to your backup strategy, I use what I like to call an "internal external drive". I scan all files first for malware ther move them to a separate HDD in the same computer. If a problem occurs, then you could take out the OS drive and throw it away, and have all your files intact. Please note, reformat of "C:/", is usually the worst that's necessary.

Guest said:

I agree with Guest above on the intractability of this infection. I would classify myself as fairly experienced at malware removal and can go through a HijackThis log pretty well, but I'm only about a 6 out of 10 on Windows (e.g. can edit the registry but mostly don't know what it means). I hope my post will help some folks with this, and possibly save hours of frustration.

To those who feel user behavior is to blame, let me assure you, it isn't. I have seen this infection twice (once personally, once on a friend's computer) without any knowing user-initiated action, clicking, installing, etc. I've read about many more. There isn't any way to tell whether it is lurking in a "legitimate" ad or website - news reports state that multiple legit sites infected users, including the entire USA Senate IT infrastructure. And full antivirus and malware software protection simply has not kept up. I use Firefox exclusively and it, Windows and AV software is always on autoupdate. So even if you may feel you're more protected, careful, and worldly-wise than the average user, you may be humiliated to find, as I did, that you aren't.

The one thing that would probably work is disabling scripts in your browser. However, that will essentially eliminate your ability to access many sites. And selectively enabling scripting, despite advice from security experts, is really not a viable defence method since there is no way to tell what sites to trust.

The two variants I've seen are Security Central and Vista Guardian, and I've read about at least a dozen more (Security Essentials 2010, Virus Doctor, etc). The current versions of Norton, Trend, and McAfee do not find it, Malwarebytes and Spybot can't remove it, and it is a deeply embedded and disabling infection. One of the most annoying things is that the antivirus vendors actually characterize the threat danger as "Low", if you're lucky enough to decrypt codes to find your malware AND you can have a second machine to look it up. Symantec actually has a tool that was released in 2005 (!) to fix this - needless to say, malware mutations have made it ineffective - and has not posted any further information about removal since then, at least that I was able to find.

No two descriptions of the behavior of this software are alike, based on my research. They use different random registry keys, different random file names, and hide behind different services and processes. A brute force fix takes hours (never completed in my case) and is exhausting since there is no single guide to removal. Safe mode is not necessarily helpful because much of the malware infrastructure still runs at startup.

More behavior: Once it's on your computer you can't get to many security sites to figure it out, and if you're savvy enough to get rid of the hosts file it has several ways of adding it back. All the usual firewalls recognize there is a new program trying to access the Internet but blocking it does no good. Effects get worse as time passes. Initially, annoying dialog boxes occur any time a new program is opened, and, after a time (2 days in my case), execution of new programs is completely disabled with either "Access Denied" or "Execution Blocked Due To Infection" messages. It happens on non-privileged and privileged accounts. Once execution is disabled, you are out of business. You can buy yourself some time and peace by stopping the GUI process in Task Manager while you do basic diagnosis (my variant called this MSCui.exe) but even that will not work after a while. My advice is to immediately forget trying to work through the problem unless you really want a challenge and you are good at Windows. That will save you a lot of time.

There are only two repair alternatives I've seen (beyond a theoretically possible line-by-line registry and system directory cleanup). You can recover the system to a few days before, or you can reinstall Windows. I would love to hear another alternative but I have found no other way after extensive research and some very bitter experience. Once recovered, I had to reinstall Firefox as either the image or startup script was corrupted.

Prevention advice: I suspect that it's too late for most readers, but here it is anyway. Absent MSFT and the antivirus vendors catching up to these incidents, make sure you set recovery points every day or after each substantial system change, and keep copies of anything you might need to reinstall. Also - and this is admittedly extra paranoid - do frequent disk backups, unplug the backup device between runs, and don't plug it back in until you have a quiet/clean system. My feeling is that it's only a matter of time before the malware coders figure out how to screw up disk recovery also. Anything you can do on the keyboard they can do behind your back, but they haven't figured out a way to plug in a device yet. This ancient and low-tech method is still IMHO the best thing we've got.

If any antivirus vendors or Windows wizards are reading this, I suggest that you come up with something that ensures the integrity of simply running a program, i.e. run means run, not run some user-defined sequence of potentially infected commands. That would at least allow the ability to continue diagnosis and removal for a determined user. Symantec's tool did this for old malware and old Windows versions but we need something that works today, and that will continue to work as the malware mutates.

BTW - OSX and Linux don't have this problem. All Windows variants do. I think the newer Windows releases are pretty good generally, but regardless of your position on the OS wars, Microsoft really needs to solve the security problem. While I agree that any software is going to have security issues, it's immaterial whether OSX/Linux could have the problem or the reasons why they don't - they simply don't at this time. It is literally getting worse by the day - this thing is the MRSA of the Internet right now, and those of you who got here by Googling certainly know it. Good luck to all in your removal efforts.

yangly18 yangly18 said:

usually I never run into any kind of malitious content when i surf the net, but I have run into this one. I've seen other versions like this to trick you into clicking on it and installing a 'security patch or program' that actually gives you a nice little trojan. Fortunatly I've never been dumb enough to click on it.

techsp10 said:

With these softwares we need to make it sure that we install the right anti-virus for our computer. Antivirus is very important for the computer to be safe so if that would be the case that the anti-virus itself is the malware that needs to be removed from the computer then that would be a big problem. So for us not be a victim with this anti-virus we have to make it sure that we alert enough in identifying this "fake" anti-virus.

Thanks for the warning Microsoft!!!!

captaincranky captaincranky, TechSpot Addict, said:

To those who feel user behavior is to blame, let me assure you, it isn't. I have seen this infection twice (once personally, once on a friend's computer) without any knowing user-initiated action, clicking, installing, etc. I've read about many more. There isn't any way to tell whether it is lurking in a "legitimate" ad or website - news reports state that multiple legit sites infected users, including the entire USA Senate IT infrastructure. And full antivirus and malware software protection simply has not kept up. I use Firefox exclusively and it, Windows and AV software is always on autoupdate. So even if you may feel you're more protected, careful, and worldly-wise than the average user, you may be humiliated to find, as I did, that you aren't.

The one thing that would probably work is disabling scripts in your browser. However, that will essentially eliminate your ability to access many sites. And selectively enabling scripting, despite advice from security experts, is really not a viable defence method since there is no way to tell what sites to trust.

Dear Guest, this is obviously a well thought out, and informative post. If I may I would like to try and "enhace" or perhaps "mitigate" a few of you viewpoints. I'm a bit uncertain as to whether you're only referencing "user initiated action", to this one specific infection, or it is a broader statement. I'm going to work with the assumption that it is broad reference, and reply with that respect.

The fact that anyone can be infected by means of a "drive by download", is documented, and conceded, but so are "social engineering" types of infections. Perhaps you are smarter than that, but rest assured that others are no so well informed or prudent. When dealing with teenager's explanation of the origin of an infection, I really think those tales need to be taken with a great big spoonful of salt, and not a grain.

As to the issue of script blocking, any script has to be scrutinized, before permission is granted, or what would be the point. So, a little bit of caution must be employed. With "NoScript" I issue permissions, firstly to the visited site, and any other script that really needs to run; as an example; 1st. Newegg.com, 2nd Neweggimg.com, then lastly akamai.net, this for the verisign server, and only when I try to buy something. Everything else has it's nose up one's bum, "doubleclick.net, and even "googleanalytics".

With TV station and network sites, script approval again is issued in only the order necessary to have the site work. Usually it takes another one or two approvals, to get the video player to work.After a while you do get a feel for it, as it's simple enough for even me to figure out.

Ah, TV stations. At one point, I think it was Macaffee Site Advisor, had yellow or red listed our local NBC 10 station, due to the fact they left their Email address, then began to receive 30 emails a month. So, I try to tell as little as possible when I get to a site, and leave even less information when I leave. And don't get me started about the nitwits on FaceBook

All of that said, I think it helps to be lucky as well.....

Guest said:

Yes, i am annoyed of "Security Essentials 2010" since yerterday. Of course, I faced the problems exactly as mentioned above. I want to be reminded of such threats regularly.

Guest said:

Very interesting points of view...I have this service and & I know for sure they are not scammers though sometimes it seems like they are. First of all they have a support center for customers who have some problems and the statement that it's not working isn't correct - I contacted them not once and always got response even if it took some time. Now thi program seems to be working properly

captaincranky captaincranky, TechSpot Addict, said:

Very interesting points of view...I have this service and & I know for sure they are not scammers though sometimes it seems like they are. First of all they have a support center for customers who have some problems and the statement that it's not working isn't correct - I contacted them not once and always got response even if it took some time. Now thi program seems to be working properly
Dear Guest, Why don't you read this; http://www.techspot.com/vb/topic150620.html then try again to explain the validity of the "live support" you speak of. Perhaps you're one of the "team"..?

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.