amelierosalyn.com

XP Anti-Virus 2011 is a very clever virus

• Posted on 25th April 2011 at 18:49
• · Tagged: Computers, Geekiness, Internet, Internet Explorer, Security

Have you ever had one of those fake antivirus things pop up on your computer? You know the type, "50,000 infections found! Click here to remove! *click* Pay $$$ to remove or you have viruses!!1". They're very convincing; usually they look like legitimate programs and/or parts of Windows. They prey on novice PC users who jump at the word 'virus' and think they have done something wrong.

I recently had the misfortune to meet one called XP Anti-Virus 2011 (not my computer that was infected, I was just tasked with fixing this particular one). This virus - and yes, I am calling it a virus even though it technically isn't one - is the nastiest rogue software I have seen yet, though I'm sure it's not the only one to run as it does. It's not new, despite the name - it's been around for years under various different names, mainly comprising of your version of Windows and the current year. So under Windows XP, you'd get XP Anti-Virus 2011 and under Vista you'd get Vista Anti-Virus 2011...etc.

Why is this particular one clever? Well, as I said, it's probably not just this one, but what this program does is to change how .exe files are run on your computer. On Windows, .exe files are normally programs; nearly all executable files will have that extension. Mr Nasty Virus here reroutes all .exe files to run through itself - and it'll block any it doesn't like. Those it doesn't like include almost all legitimate antivirus/antispyware scanners and certain web browsers as well - it didn't seem to stop Chrome but it put a stop to Internet Explorer in any case and kept reopening itself informing me that the computer had too many viruses and I must click here to register and remove threats. That of course makes removing this piece of rubbish a right pain since, well, it doesn't let you. :P Of course, it did everything else these fake programs do - nice threatening messages, cloned the Windows Security Center but plonked itself there instead, typical antivirus program look... All very lovely.

I removed it by following a mixture of guides online - this guide is one of many that explains the basic steps (note the insertion of the license key in those steps - once you do this the program will act as if it removes the viruses and/or itself. Ha - I restarted and it came back up an hour later saying my registration needed confirming and I still had threats). Once you've got rid of it, make sure to update your real antivirus/antispyware protection and run a full scan to make sure it really has gone. A lot of those guides keep trying to push a download of SpywareDoctor (normally labelled as the "remover" for the viruses)... I've never found that program anything more than bloat, personally - I removed the items manually then ran MalwareBytes' Anti-Malware on a full scan to make sure all traces had gone.

How do you protect yourself from getting fake antivirus software on your computer? Here are a few tips:

1. Know what your real antivirus software is (and firewall, if you have one), what it looks like and how to run it. If a window pops up saying you have viruses but it doesn't look like your normal AV software, it is more than likely fake.
2. Use a browser other than Internet Explorer, or if you like IE, keep it up to date. XP Anti-Virus and its variants creep in through unpatched vulnerabilities in browsers - mostly IE.
3. Keep Windows up to date. I know, Windows Update is a right pain and sometimes its updates take ages to download/install and sometimes break things. However, some of the updates do fix holes in the operating system so that fake AV stuff can't get in as easily.
4. Don't click on dodgy links. Got some weird email from your friend with a link in it? Might be worth checking they really sent it and didn't get their email account hacked with virus-infested site links now being distributed through it (it happened to me last year - my email account got hacked and my contacts all received some virusy links :( )
5. If a message does pop up about viruses on your computer, read what it says carefully. In most cases, fake AV software is in broken English with poor grammar and spelling (e.g. "threat is been discovered on your computer"). If your computer's primary language isn't English and this rubbish shows up in English, that's also a giveaway right there.
6. If you do happen to get one of these fake programs on your computer, don't click on any notice it gives you. Click the X button at all times, don't click any buttons it gives you on screen - in getting rid of the millions of popups it was giving me, I inadvertently clicked on what I thought was a cancel button - it tried to send me to some dodgy website. Ick.

Comments (4)

1. I got hit with three of these in five days about two weeks ago. :| Avast was being a jerk and not working properly, which I didn't notice because I'm very unobservant. The first one took the longest because I had to go into safe mode with networking and download Malwarebytes and then do a full scan just to be on the safe side, so that took like 2 hours. I killed the other two in about fifteen minutes each using the quick scan function, but it's still really annoying. Luckily I haven't had anything like that happen since then *knock on wood*, but I've been doing regular scans with Malwarebytes and making sure Avast is operational and updated at all times.

   I can definitely see someone falling for this kind of virus. They look pretty legit, and the ones I had used perfectly fine English, so I could understand someone who isn't totally computer literate getting screwed over by one.

   Clem on 25/04/2011 at 19:05

2. I haven't personally gotten any of these types of viruses (lucky me!) but I had to remove one from my brother's PC the other day. For some reason, Malwarebytes (my first instinct too) wasn't picking up on the virus, even after I manually updated the database? In the end, my solution was to get SUPERAntiSpyware's portable scanner on a flash drive and that did the trick.

   Josh on 11/05/2011 at 17:40

3. Do you happen to know if the virus you mentioned has anything to do with the infamous Google redirect problem on Windows 7?

   John on 13/06/2011 at 20:43

4. I had that same virus before. I mistook it for my anti-virus software, clicked on it, then realized it was a virus. Fortunately, I was able to get rid of it. I had those sneaky viruses!

   Britney on 11/10/2011 at 5:02

← Previous entry: My top 5 Android apps | Next entry: All change →