Microsoft kicks fake security software off 400,000 PCs

Computerworld - In the second month of a campaign against fake security software, Microsoft Corp. has booted the rogue application "Antivirus 2009" from almost 400,000 PCs, the company recently claimed.

December's version of the Malicious Software Removal Tool (MSRT), a free utility that Microsoft pushes to Windows users as part of Patch Tuesday, targeted one of the most popular phony security app, Antivirus 2009. According to Microsoft, the MSRT erased the fake from over 394,000 PCs in the first nine days after it released this month's edition on Dec. 9.

Last month, Microsoft trumpeted a similar cleaning operation against another family of bogus security software that it said had purged nearly a million machines of programs such as those called "Advanced Antivirus," "Ultimate Antivirus 2008" and "XPert Antivirus."

December's campaign targeted a different family -- dubbed "W32/FakeXPA" by Microsoft -- that includes fake security software going by names such as "Antivirus XP," "AntivirusXP 2008" and "Antivirus 2009."

Windows users increasingly have been plagued with worthless security software as criminals bundle the moneymakers with other malware or seed significant users with waves of spam touting the programs. According to one researcher, cybercrooks can pull in as much as $5 million a year by installing the rogue programs on PCs, then dunning users with infection claims and constant pop-ups until the victims pay $40 or $50 to purchase the useless applications.

Microsoft also aimed the December version of MSRT at an affiliated piece of malware, called "W32/Yektel," that works alongside W32FakeXPA and is often bundled with the phony security software.

Classified by Microsoft as a Trojan horse, Yektel takes advantage of users' worries about browser security by inserting false warnings into Internet Explorer. Those warnings, explained Microsoft researcher Hamish O'Dea in a post to the company's malware protection center blog two weeks ago, appear at random and mimic IE's own legitimate drop-down alerts.

Newer variations of the Yektel Trojan go a step further and insert phony warnings into Google search results, said O'Dea. Whenever these even-sneakier versions detect IE rendering a URL that includes "google," it inserts a fake message that says, "Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you activate Antivirus 2009 to protect your PC from malicious intrusions from the Internet."

The links from Yektel's IE and Google warnings take users to a Web site where users are urged to pay $50 to register Antivirus 2009.

Windows users can download the MSRT manually from Microsoft's Web site or via the Windows Update service.