The Win32/Fake PAV Trojan and how it Works

The Win32/Fake PAV Trojan is one of the fastest spreading and most devilish pieces of malware ever concocted. This nasty little bug first showed up in the third quarter of 2010 and by the end of the year had become the second most common rogue software detected according to Microsoft Security Intelligence Report.

The Win 32/Fake PAV Trojan or Rogue PAV is bad news because it actually swipes credit card information. It is also one of the most elaborate and sneakiest pieces of Malware yet seen. Among other things, Win 32/Fake PAV delivers a fake Microsoft Security Essentials Alert, installs a phony security program, and even reboots the computer. All in an elaborate variation of the phishing scam. Perhaps the worst part of this Trojan is that it convinces the user that the computer is infected. Then in an attempt to get rid of the Malware, the user installs the Malware himself.

How Win 32/Fake PAV Works

The most recent version of this Malware gets in by delivering a message that asks the user to click on a button. When the user clicks the button, a pop up security warning that looks like the Microsoft Security Essentials Alert appears. Clicking on the details provides fake information that says the computer is infected by a Trojan.

If you close the Alert, and run another function another security alert appears. This states that the computer user has to Apply Actions or Clean Computer to get rid of the Trojan. If you hit either of these buttons, a Security Alert stating that a solution has been found appears. This states the threat level is very high and that only installing a trial version of something called Think Point will fix the problem. If you press continue you will get a message asking you to OK the installation of Think Point.

What happens next is that the computer reboots. When Windows comes back up the user sees that a new security program called Palladium Pro has been installed. Palladium Pro is a fake but it pretends to scan the computer for Malware. In reality all it does is show what looks like information from a low end antivirus program.

After a couple of minutes Palladium Pro tells you that it has discovered but needs a special feature called Heuristics to clean the computer. To get Heuristics you will have to enter your credit card information and other information. Win 32/Fake PAV even provides you with an order form for it.

Taking a look at this fake will show why this Malware is among the sophisticated yet unleashed. The order form even states that Palladium Pro has won an award from PC World, so it looks like a real order form for a real product. The user gets the impression that she will never be able to use the computer again unless she buys Heuristics. Buying the product gives the bad guys access to the user’s credit card and contact information.

Getting Rid of Win 32/Fake PAV

The Microsoft Malicious Software Removal tool will get rid of Fake PAV. So will most other antivirus software programs. Interestingly enough when you try to remove Fake PAV a message from Palladium Pro will pop up in the corner. This will tell you that the database update has failed.

You can download the Malicious Software Removal Tool here:

http://www.microsoft.com/security/pc-security/malware-removal.aspx

Microsoft updates this tool on a regular basis so it should get rid of the latest threats.

How Win 32/Fake PAV Spreads

This malware is part of a new generation of nasty programs that actually mimics elements of Microsoft Security Essentials Alert. It gets its name because the fake alert actually tells users that their computer has been infected by the Win 32/Trojan.

A Microsoft Security Intelligence Report Showing How Fast the Many Variants of Win 32 spread.

Microsoft’s security team reports that Win 32/Fake PAV spreads through ads and SEO (Search Engine Optimization) and it can be installed by other Malware. Its operation is similar to other pieces of Malware including Win 32/Privacy Center, Win 32/SpyPro and Win 32/FakeXPA. The experts in Redmond think both the same evil minds behind Privacy Center, SpyPro and FakeXPA thought up Fake PAV.

These criminals are using a popular hacker strategy called rogue security software. Rogue security software has become one of the most common methods by which malware spreads. These Trojans pretend to run a security scan and offer a solution. The solution involves buying new security software which gets you to give the bad guys your credit or debit card number. Not surprisingly, the bad guys then use this information to clean out your bank account or max out your credit card.

Some of the names under which this scam operates include:

  • AntiSpywareSoft
  • Red Cross Antivirus
  • Peak Protection 2010
  • AntiSpy Safeguard
  • Major Defense Kit
  • Pest Detector
  • ThinkPoint
  • Privacy Guard 2010
  • Palladium Pro

If you see any of these “antivirus programs” on a computer, that machine has been infected by some variant of Win 32. The security programs are actually Malware. Unfortunately this is only a partial listing of the aliases used by this Malware, Microsoft’s Malware Protection Center lists another twenty other names by which this menace is known.

This probably only the tip of the iceberg, the next generation of these Trojans will probably be able to download information without any action from the user. The best way to defend yourself is to make sure your antivirus software is on and to use it.

You can keep up with the latest Malware by reading the Microsoft Security Intelligence Report. Access it here:

http://www.microsoft.com/security/sir/default.aspx

The Microsoft’s Malware Protection Center can also you with a lot of good data on malware. It is located here:

http://www.microsoft.com/security/portal/

Article Global Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Eli Pets

This entry was posted in How to Guides. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>