Another turn of rogue AntiVirus systems

by Alice Woods - -

Once, rogue AntiVirus software plagued the Internet. However, while rogue AntiVirus malware is still alive, it has decreased now since users have increased their awareness of these types of attacks, and protection systems have improved in stopping malicious programs.

rogue antivirus strikes 

Daniel Chipiristeanu, an expert of AntiVirus at Microsoft Malware Protection Center known as MMPC, notes that a browser-based, simple variant of fraudulent AntiVirus has recently become more compelling.

According to MMPC, after the device is infected by Rogue:Win32/Defru, it impedes users from launching many famous websites by presenting an image known by many users who have faced the malware before.

Chipiristeanu explains the Rogue:Win32 operation principles: “When the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender. IP 82.146..21) that is often used in social engineering by fake antivirus malware.” The link in the address bar is of the website, which the user intents to launch. That is because the rogue AntiVirus switches the victim to a different website but the URL is not affected by this transfer. If victim attempts to visit another website, the malware does the same.

The message on the window says:

Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.”

The fraudulent scanner displays a list of fake malware and tries to fool its victim that the device is compromised with non-existing viruses. The rogue AntiVirus offers to clean the computer for a fee and if the victim decides to do so and clicks the button, which says “Pay Now”, the “Payeer” payment portal will appear.

An AntiVirus Expert D. Chipiristeanu says that even if the victim pays, the problem won’t get fixed.

Most of the rogue AntiVirus Rogue:Win32/Defru cases appear in Russia, which is clearly presumed by the language. The United States remains in the second place, followed by Kazakhstan. All the remaining infections are mostly located in Middle and Eastern European countries, and some are left in Western Europe.

“The rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\\w1ndows_<4chars>.exe (e.g. ‘w1ndows_33a0.exe’),” According to MMPC expert, D. Chipiristeanu. He also explains that, “It persists at system reboot by adding itself to the registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value ‘w1ndows_<4chars>’.”

In order to remove the malware, “The user can clean their system by removing the entry value from the “run” registry key, delete the file from the disk and delete the added entries from the hosts file”, – advises the expert.


About the author

Alice Woods
Alice Woods - Antivirus software analyst

Alice Woods is an anti-malware analyst at She is passionate about testing new pieces of software and discovering pros and cons of each program.

Contact Alice Woods
About the company Esolutions

now online
Like us on Facebook