Microsoft is advising users to be wary of a rogue antivirus program that creates fake warnings that appear to come from the user’s browser.
The program, called MSIL/Zeven by Microsoft, detects what browser is being used and then launches a page virtually identical to pages generated by Internet Explorer, Google Chrome and Mozilla Firefox that warn users when they are about to surf to a malicious site.
A key difference is that there will be a place on the page for users to click to download an antivirus program to protect them.
“All the ‘updates’ point to a copy of MSIL/Zeven that promises to provide ‘a new approach to windows detection,'” blogged Daniel Radu of Microsoft Malware Protection Center Dublin. “Internet Explorer, Firefox and Chrome do not offer such a solution when a Website is blocked. When installed, the product [Win7 AV] looks very genuine: It allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings. … However, the features don’t work; everything is there just to look nice, not to offer any kind of protection.”
When another warning appears telling users about malicious files discovered on the machine, users are told the files cannot be deleted until they update. The idea is to get users to pay for the full version of the product, which has the ability to download updates, Radu wrote. However, these files “are totally bogus.”
“If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to ‘help’ and ‘protect’ you while completing your purchase,” he blogged. “Of course, these features are totally worthless and don’t actually do anything in the way of securing your credit card details.”
The main page of the fake AV itself is designed to look similar to the Microsoft Security Essentials Web page, Radu noted.
“The people behind it have even copied the awards received by Microsoft Security Essentials and link to the Microsoft Malware Protection Center – pretty sneaky of them,” he blogged.
Microsoft couldn’t say much about the attack vector the mind or minds behind Zeven are using to infect people in the first place, but told eWEEK users should keep their computers protected with up-to-date antivirus.