I have a popup telling me that I am infected and to buy this software or that I need to run a scan when my current PC-Cillin is running a scan. What is this worm called and can you tell me how to remove it?
This question was answered on April 3, 2009. Much of the information contained herein may have changed since posting.
Your description sounds like the long-running ‘scare-ware’ program generally calling itself AntiVirus 2009 (formerly AntiVirus 2008).
This family of scams has been very successful in fooling folks into paying for relatively useless software and the stakes are starting to get higher.
The most recent variations will attempt to convince you that your My Documents folder is corrupted and offers a free “fix” to repair the problem.
Once again, this is a scam to get you to install a rogue program that, in this case, actually ‘encrypts’ your My Documents folder and then will hold you hostage when you try to get back into your files.
The ‘ransom’ for giving you the key to unlock the encryption is $50, which is why the security community refers to this type of malware as ‘ransom-ware’(if you get infected with this scam, DON’T pay the ransom! Unlock tools have been posted around the Internet or consult a professional).
The authors of these programs used a generic sounding name (AntiVirus 2009) which is used by many companies and boxes that look a lot like they were generated by the Windows operating system.
This combination is fooling a lot of users into thinking that the warnings are legit.
In your case, if the warnings are not coming from PC-Cillin (Trend Micro) then you know that you should be suspicious Likewise, users that have installed A/V software from companies like Norton, Webroot, McAfee, Panda or any of the major vendors should only heed warnings that are generated by the specific program that was installed as the protection system.
Paying attention to the details of the warnings is the best way to sidestep these types of scams In addition to making sure that a warning message is coming from your A/V program, look at the header (usually the blue bar at the top of the warning box) to see if it has the name of your program in it.
If you see things like FreeWebScanner or FreeScan or FreeAntiVirusScan or anything other than your security software’s name, don’t respond (click the X in the top right corner).
In order to get these pop-ups in the first place, someone has likely ventured into fringe websites (gambling, adult content, hacker sites, warez software key sites, etc.), downloaded files from a file sharing network like LimeWire or KaZaa or fallen for one of the many new e-mail or social media video scam messages.
If you get any kind of message saying that an embarrassing video of you is up on YouTube or checkout this sexy video of a girl, etc and when you go there to see the video, you are prompted to update your Flash player or video ‘codec’, don’t fall for it (unless you are just getting started with a new installation, you have everything you need to see online video already).
Your chances of getting ‘infected’ by the AntiVirus 2009 scam is exponentially higher than every getting infected by any of the Conficker worms that captured the world’s attention last week because it relies on gullibility.
As with all infections, the more you pay attention to what you are clicking on and the more suspicious you are of everything that you see, the less likely you will become a victim of these scams.
The bad guys know that you aren’t paying attention out there and they are getting better at distracting those that aren’t constantly on their guard, so don’t let them fool you.
About the author
Ken Colburn of Data Doctors on April 3, 2009