Revamped fake antivirus variant holds systems for ransom

May 13, 2009 12:27 GMT  ·  By

Security researchers from antivirus vendor McAfee are warning that an older scareware application has recently mutated into ransomware and is now asking for money to unblock access to legit applications on victim computers.

Looking to increase their illegal monetary gains, the creators of "System Security 2009," a fake antivirus program, which previously relied solely on scareware tactics to trick users into acquiring useless licenses, have released a new variant that now holds systems for ransom. McAfee currently detects the new variant as FakeAlert-CO.

"As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to 'repair.' Following the trend of Ransom-F, we noticed 'new features' in FakeAlert-COt hat resembles some common characteristics of ransomware trojans," Avelino Rico Jr. and Geok Meng Ong, the two McAfee experts who have analyzed it, explain.

Ransom-F refers to an application called "FileFix Pro 2009," which was being aggressively marketed to users looking to recover personal documents encrypted by the Vundo trojan specifically to sell this product. FileFix Pro 2009 was first reported back in March and has been followed just recently by the first Brazilian ransomware, called Byte Clark.

Unlike FileFix Pro 2009, Byte Clark was just blocking access, via a malicious component, to a wide variety of documents, applications and folders, instead of encrypting the files. The new System Security 2009 variant takes a similar approach, as it prevents all programs from starting and displays an error message telling the user to buy a license in order to fix the problem.

Clicking on the error message opens a professional-looking website in the browser, where the victims can select from several subscriptions before proceeding to enter their credit card details. The website even claims to be offering a 30-day-money-back guarantee, which is, obviously, false.

"Uninstalling the System Security 'product' will not be an option for the typical user, as there is neither an uininstaller [sic.] function nor will the 'Add or Remove Programs' in the control panel be allowed to be opened via the usual means," the researchers warn. However, "If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally," they add.

Photo Gallery (3 Images)

Ransomware is becoming a dangerous trend
Screenshot of the System Security 2009 scarewareFake System Security 2009 error
Open gallery