Fake anti-virus alert!

This week we are seeing a new fake anti-virus program that is interfering with computers everywhere. This fake anti-virus program imitates the Windows Security Center and goes by the name “System Security 2011”, “XP Internet Security 2012”, “Malware Protection”, “System Fix” and other variations. Generally, a new variation is released each week.

It starts with a web page that pops up and warns that your computer is infected. If you following the warnings and continue, it will install fake anti-virus software on your computer that will block operation of everything until its removed. This can also include hiding all of the desktop icons and menu items. Both the Windows Task Manager and Explorer will be blocked from running.

But if the initial fake warning screen is closed, nothing further will happen.

The initial web page and subsequent program will display a realistic scanning message but its also a fake, creating a false report of problems. When finished, it will prompt you to visit their web-site to buy the software.

Dubbed LizaMoon (because LizaMoon.com/ur.php was the first web-site that was linked to this fake anti-virus) the unknown creators of the  fake anti-virus software have found a way to substitute their web-site domain name when visiting legitimate web-sites.  What they have done is targeted web hosting systems that use the Microsoft SQL server software.

According to the web-site imdb.com, Liza Moon is listed as a digital artist involved with the 1984 movie Tron, which was recently released as a 2011 re-make. The creators of the fake anti-virus may have picked this name after reading more about the movie, since the theme of the movie is about people injecting themselves into a computer.

Using a software trick called “SQL injection”, they get a legitimate web-site to store a link to their web-site in the database. When a user visits a legitimate site that has been compromised, they instantly get re-directed to one of the many sites storing the fake anti-virus software and receive the fake warning messages. As soon as the fake anti-virus appears, it is crucial to close out all open windows in Internet Explorer to stop the fake software from installing.

The software creates a fake scan report with fake threats, and recommends going to a web-site to buy software to remove these fake threats.

There is no option in add/remove programs to remove this fake anti-virus software.  Later versions of this virus add an option to uninstall but it will only display warning messages and will not remove the fake software. It will also prevent any anti-virus software from scanning or removing it from your computer. Later versions of this virus will also hide all desktop icons and start menu programs, in addition to disabling Windows task manager. Closing any of the messages will trigger a system shutdown.

Once you have installed the fake anti-virus software, contact our office immediately so we can take steps to remove it. Since many legitimate anti-virus programs will not recognize this new fake anti-virus, we have to identify and close the fake anti-virus program and delete the files. After the fake anti-virus is stopped, we have additional tools to remove the registry settings and restore access to programs.

For an example of a fake anti-virus, Microsoft has a page describing one at: fake anti-virus information from Microsoft. Also, WebSense.com has provided excellent technical details and explanations of how the LizaMoon fake anti-virus works.

This entry was posted in Computers, Services, Software and tagged , , . Bookmark the permalink.

Leave a Reply