As per tradition, Microsoft's monthly patch package was accompanied in May 2009 by a new release of the Malicious Software Removal Tool. The security solution went live concomitantly with this month's security bulletin release, with Microsoft having added new rogue antiviruses to the list of malicious code that the tool would tackle. “The monthly installment of the technology to remove malicious software from users’ systems is available today as well. This month’s update removes Win32/Winwebsec and Win32/FakePowav.B,” revealed Christopher Budd, security response communications lead for Microsoft.

Both Win32/Winwebsec and Win32/FakePowav.B are rogue antiviruses, namely fake security solutions that deliver no actual functionality but convince users to pay for inexistent protection via various methods. The most popular strategies associated with rogue antivirus products are attempts to convince victims that their computers are infected with malware, and scaring them into paying for a license in order for the fake antivirus to remove the made-up threats. This is why rogue antiviruses are also referred to as scareware.

“Winwebsec goes by different names (“System Security” and “Winweb Security”), typical of a rogue. One less common feature is that it has been known to download additional malware. For a short time it downloaded Worm:Win32/Koobface (which we added to MSRT in March). This brings us full circle: one of the ways we have seen people directed to Win32/Winwebsec’s fake online scanner is via Win32/Koobface. Koobface can launch pop-ups which load fake online scanners. At one time it was FakeXPA, at another it was Win32/Winwebsec. Koobface doesn’t seem attached to a specific rogue,” revealed Microsoft's Hamish O’Dea.

In addition, Winwebsec is also capable of blocking certain Windows programs and components from launching, informing the user that the items are infected. Trojan:Win32/Winwebsec is generally spread via webpages masquerading as online scanners. Users are tricked into downloading the Trojan, which is packaged under a file such as “install.exe.” In their attempt to clean the machine from inexistent threats, victims actually manage to get infected with the Trojan.

“Trojan:Win32/FakePowav is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money in order to remove these non-existent threats,” Microsoft informed.
 
The Malicious Software Removal Tool is available for download here.