Microsoft Security Essentials 2011 - ROGUE!

[tysroby]

No. Microsoft Security Essentials 2011 isn't the latest version of the free security software from Microsoft, it's a fake (rogue) antivirus. It spreads itself through the use of a few Trojans that claim to be video-codecs or critical flash updates for online content. It will display numerous fake alerts and it will perform several system scans, falsely detecting hundreds of infections. All this is to confuse the user, into purchasing this software. The detected files are either inexistent or clean, and none of the alerts have to be considered to be real.

Here is a screenshot of what this rogue antivirus looks like:

It displays the following messages:

System warning!

Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

Critical Warning!

Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Interner Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)

And it creates the following folders/files:

- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Essentials 2011.lnk

- %UserProfile%\Application Data\Security Essentials 2011\

- %UserProfile%\Application Data\Security Essentials 2011\SE2010.exe

- %UserProfile%\Application Data\Security Essentials 2011\sejgdls\

- %UserProfile%\Application Data\Security Essentials 2011\sejgdls\semblgbls.cfg

- %UserProfile%\Desktop\Security Essentials 2011.lnk

- %UserProfile%\Start Menu\Security Essentials 2011.lnk

- c:\Program Files\Securityessentials2010

Associated Registry keys:

HKEY_CURRENT_USER\Software\SE2010

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_CLASSES_ROOT\SE2010.DocHostUIHandler

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “updatesst”

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\Security Essentials 2011\SE2010.exe” /hide”

HijackThis log incorporates the following entry:

O4 – HKCU\..\Run: [updatesst] “%UserProfile%\Application Data\Security Essentials 2011\SE2010.exe”

HOW TO GET RID OF THIS

1. Download an run rkill.com. This is necessary the kill the active process that the virus uses. You will probably receive a warning that rkill.com is infected. Ignore it, it's a false warning generated by Microsoft Security Essentials 2011

2. Download and install Malwarebytes' Anti-Malware. You can find it on nsanedown.com here. Run a full system scan and finally delete all the infected files by pressing 'Remove selected'.

It is amazing how naive people are when it comes to the Internet. After several warnings I gave my sister about this sort of PC security threat she still managed to get her laptop infected with a rogue antivirus. The same thing happened with my girlfriend. And when this happened, who had to drop everything and go fix their PC? Amazingly my mother, who after working for more than 20 years in a factory, managed to learn more then I've ever hoped for regarding PC's, Windows and navigating the Internet. I don't have this sort of problems with her, and that's good, because we don't live in the same town. :) She even installs Windows by herself :)