New Rogue: Antivirus Plus

by LS Anders on December 11th, 2008 in Researcher Comments, Security Alerts.

Recently, we came across this rogue: Antivirus Plus. What makes this one different from others was that it was distributed directly as a fake video codec. They have now removed the fake alert step in between.

fake codec install

The installer will present a normal type of installation procedure. However, the rogue software will be installed directly as the file is started, no matter what the user chooses to do during the installation phase. Soon, a scan will start and a long row of false positives will be presented.

GUI

fake alert

The rogue will also redirect web pages by adding lines into the hosts file. The following two entries were found inside the hosts file:
94.247.xx.xx www.google.com
94.247.xx.xx search.yahoo.com

When trying to access one of these pages, the user will be redirected to another server that will show a page like this:

Alert2 Browser Hijack

It's another reminder that you need to be very careful when installing unknown codecs.