Our systems are attacked daily byTrojans, viruses, worms, and other malware. We face these risks while browsingthe Internet, chatting, downloading applications, and in many other ways. We know we have to protect our systems and that we need to use security software.Unfortunately, one of the most popular ways for the bad guys to make money isto trick users into believing their systems are infected. They convenientlyoffer to sell us fake, or rogue, security applications that often do little more than act busy and collect our money.

How harmful are rogue security applications?

FakeAlert anti-virus software can be harmful to your systems. FakeAlert Trojans operate in a similar way: We get them either during a “drive-by” install or a downloader will silently load either part of or an entire roguesecurity application.
Rogue software can sometimes damage the system and harm other drivers andutilities.

We use several detection names for fake anti-virus software, including FakeAlert-Antiviruspro, Rogue Antispyware, and Fraudtool.



Let’s look at one example of fakealert software: When sysguard.exe runs on a victim’s machine, it infects the system and deletes the registry key of the AppInit_DLLs applications from the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"AppInit_DLLs

The user sees the warning message in the next screenshot , and these registrykeys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings

When this pop-up window warns of a (fake) infection, most users click on “Yes,remove threats.”


What happens next?

As we see in the previous screen,once the Trojan runs it offers a graphical interface designed to appear as alegitimate security application. It reports multiple “infections” on thevictim’s computer. It also adds the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\WindowsScript\Settings "JITDebug"

Finally the fakealert software offers the user the chance to clean up the attack by buying the “full” rogue application. (See next screen.) Once the victim pays, the attacker has won. And the user’s machine remains infected by the rogue product.



How can you protect your system?

The first step in protectingyourself is to download the McAfee SiteAdvisor tool, which will warn you beforeyou visit the suspicious links.

McAfee anti-virus products such as VirusScan Enterprise 8.x have features that can help your PC. VSE adds user-defined rules and protects your system against fakealert trojans.

You should also update your McAfee products to ensure you are protected from these threats.

You can help by sending us a sample for analysis in a password-protected ZIP file. (Use the password “infected”).For more details on how to submit fake alert related samples, please visit this link: https://community.mcafee.com/docs/DOC-2752

Please use our updated McAfeeFakeAlert Stinger tool to protect your system,which detects and remediates fakealert threats