14 DAY TRIAL // Security researchers warn that a version of the desktop locking ThinkPoint fake antivirus application is being distributed as a trojan removal tool.
The program is advertised under the name of "Windows Trojan Removal Kit" and is served from scareware websites that display antivirus-like scans.
According to researchers from GFI Software (formerly Sunbelt), the rogue domain used in this case was microsoftwindowssecurity152(dot)com, but similarly-named hosts (with different numbers) distributed the threat in the past.
"Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake 'Blue Screens of Death' and payment nag screens," Christopher Boyd, a GFI senior researcher, warns.
This is because the application is a notorious fake AV program from the ThinkPoint family, who's behavior borderlines on ransomware.
ThinkPoint sometimes poses as Microsoft Security Essentials (MSE), the legit and free antivirus product from Microsoft, but more importantly it's known to prevent users from using their systems.
After infection, when the computer boots up, the victims will no longer be able to reach the desktop. Instead, they will see ThinkPoint allegedly performing a scan and finding infections.
Like any scareware application, the program claims that it cannot remove the detected malware until a more advanced component is bought.
Fortunately, there is a way for users to bypass the screen lock. It requires going to the program's Settings menu and enabling the "allow unprotected startup" option.
The social engineering trick of passing malicious applications as malware removal tools is relatively common. Back in October, we reported about a destructive trojan distributed as a removal tool for the Stuxnet worm, which was wiping all data from the system partition.
Users are advised to only download free security tools directly from the websites of known antivirus vendors, or from established download portals, where all applications are checked before being published.