Microsoft has updated one of its free security solutions designed to tackle a specific collection of prevalent malware, adding a fake optimization solution offered for Windows, including Windows 7.Following the latest refresh, introduced earlier this week on Patch Tuesday along with the company’s August 2011 security bulletins, the Malicious Software Removal Tool (MSRT) is equipped to identify and clean Win32/FakeSysdef infections.
According to the Redmond company, FakeSysdef is related to Win32/FakeCog, having been authored by the same malware writers, most probably.
MSRT started tackling FakeCog in September 2010, and it appears that the malicious code authors produced FakeSysdef to replace their dying malware.
FakeSysdef was initially offered to users as System Defragmenter, but it has featured a plethora of labels since then including: Windows 7 Recovery, Disk Optimizer, Disk Doctor, Hard Drive Diagnostic, Memory Optimizer, Quick Defragmenter, Smart Defragmenter, Ultra Defragger, Win Defragmenter, Windows Diagnostic, Windows 7 Restore, etc.
Users should already be familiar with the modus operandi of FakeSysdef, which functions much in the same manner as fake antivirus solution.
This piece of scareware is designed to trick users into thinking that the hardware of their machine is plagued by a variety of issues and scares them into paying for a license to fix the errors. Obviously, all the errors and problems detected by FakeSysdef are fake, and there’s no real fix. Just victims handing over their money.
“Win32/FakeSysdef is a family of programs that claim to scan for hardware defects related to system memory, hard drives and over-all system performance. They scan the system, show fake hardware problems, and offer a solution to defrag hard drives and optimize system performance. They then inform the user that they need to pay money to download a 'fix' module, register the software and repair these non-existent hardware problems,” Microsoft explains.
Win32/FakeSysdef packs its own installer, but it can also be installed by malicious code such as Win32/Chepvil. When it’s served as standalone malware, FakeSysdef will most likely infect machines through a drive-by download when victims navigate to malformed sites, including websites they find via search engines.
“Win32/FakeSysdef drops a copy of itself and/or another component (DLL or EXE) to the "%APPDATA%" folder using random filenames,” the software giant explained.
“A shortcut link is created in the desktop folder and sometimes in the Program menu, hoping that the user will run it eventually. Others may just create a plain autorun registry entry to run the trojan every time Windows starts.”
Microsoft is warning users that FakeSysdef has evolved to the point where it can detect the OS it’s about to infect, tailoring its name to the platform.
“Win32/FakeSysdef typical behavior, once active, is to display fake error messages (…) that scare the user into believing that their computer needs repair. But before they can clean up their computer, they need to buy or register the software,” the company added.
“Needless to say, this is the old-and-dirty trick from rogues and some trojans to scam money from infected users - to scare you into buying their fake software. If the user ignores the malware (eg. clicking 'Cancel'), it reboots the machine repeatedly until they activate the fake fix. Downloading and installing the fake fix module will not clean up the computer and it doubles the risk by downloading an additional component or different new malware.”
The Malicious Software Removal Tool (MSRT) is available for download here.