Information on Rogue Programs & Scareware

Summary:

Rogue Program is a program that in itself is typically not harmful, but typically use deceptive advertising and false positives as a scare tactic to have you purchase a registered licence of the software.

 

Detailed description:

Most Rogue programs state that they are legitimate applications, but are typically clones of other lackluster products repackaged under new names and graphics. Most Rogue programs also use highly aggressive sales tactics which include adware, Trojans that display fake security alerts, or claims that they have won awards from major publications and companies. What it all boils down to, though, is that these types of programs are either deliberately deceptive or displaying numerous false positives in order to convince you to purchase their software. This is because the single most important thing to the creators of Rogue software, is to sell as many copies as they can. That means that the people, or affiliates, who are selling this software can do so by any means. This ultimately leads to deceptive advertising and the use of malware to sell the software.

A common approach by Rogue programs is to display either fake results or exaggerated results when the program scans your computer. When the scan is finished you will be shown a list of legitimate files and Windows Registry keys that are flagged as security threats. In some cases, the Rogue programs actually create the files and Windows Registry keys on your computer so that they can be detected as malware. Then in order to remove these threats, you must first purchase a license of the software. These fraudulent tactics are used to scare you purchasing this software. Now it should be noted that there is nothing wrong with a program requiring you to purchase it before it will remove any infections. It is wrong, though, to display false information to scare you into doing it.

Another common tactic used by Rogues is to advertise, or even directly install itself, through the use of malware. Rogues programs are typically introduced into your computer when a person visits pornographic or sites that offer copyrighted content. In some cases you will be infected by just visiting these site, depending on what security updates are installed, and in other cases you must first run an executable. Either way, your computer will have malware installed that displays fake security alerts stating that you have some security risk and must install a piece of software, the Rogue, to remove it.

 

Other resources:

Info from BleepingComputer.com

System Protection Tools- Fake rogue anti-spyware that mimics Microsoft Security Essentials

The following is copied from http://www.bleepingcomputer.com/virus-removal/remove-system-protection-tools 05-23-2012

System Protection Tools is a rogue anti-spyware program from the Rogue.FakeVimes family. This infection is promoted through web sites that show advertisements that pretend to be online anti-malware scanners. These scanners will then pretend to scan your computer, and when finished, will state that your computer is infected and that you need to download and install System Protection Tools to protect yourself. The truth is that these online scanners are all fake and are only an advertisement. They have no way of knowing what is running on your computer.

 

 

System Protection Tool screen shot
System Protection Tool screen shot
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

 

 

Once System Protection Tools is installed on your computer it will be configured to start automatically. It will also create numerous files that will be detected by the program as malware. Some of the files that are created are:

%UserProfile%\Recent\ANTIGEN.exe
%UserProfile%\Recent\cid.exe
%UserProfile%\Recent\ddv.tmp
%UserProfile%\Recent\eb.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\exec.sys
%UserProfile%\Recent\fan.tmp
%UserProfile%\Recent\fix.sys
%UserProfile%\Recent\hymt.drv
%UserProfile%\Recent\hymt.sys
%UserProfile%\Recent\kernel32.drv
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.tmp
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.exe
%UserProfile%\Recent\SICKBOY.exe
%UserProfile%\Recent\SICKBOY.tmp
%UserProfile%\Recent\tempdoc.exe

When the program scans your computer it will detect the files it created and state that they are infections. It will then prompt you to remove the files, but will not allow you to do so until you first purchase the program. This is a scam as the files are all harmless and are created by the System Protection Tools program in the first place. Therefore, please ignore any of the scan results this program displays.

While System Protection Tools is running it will also display fake security warnings that are designed to make you think that your computer has a severe computer security problem. The text of some of the alerts you will see are:

System Alert
System Protection Tools has detected pontentially harmful software in your system. It is strongly recommended that you register System Protection Tools to remove all found threats immediately.

System Alert
malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using System Protection Tools.

Warning! Virus detected
Threat Detected: Trojan-Spy.HTML.Bankfraud.IX

As all of these security alerts are false, they should be ignored.

As you can see, System Protection Tools was created to scare you into thinking your computer was severely infected so that you would then purchase it. It goes without saying that you should definitely not purchase this program, and if you already have, please contact your credit card company and dispute the charge.

Antivirus Protection 2012

Antivirus Protection 2012 is a rogue anti-spyware program from the Rogue.Zaxar family. This rogue displays fake scan results and alerts in order to scare you into thinking your computer is infected. This program is installed through Trojans that download and install the program on to your computer without your permission. When installed, the rogue will also create numerous harmless files in your Windows Temp folder that will then be detected as malware when Antivirus Protection 2012 attempts to scan your computer. If you attempt to use the program to remove any of the files it detects as infections, it will state that you need to purchase the program before you can do so. As all of the files it detects as infections are harmless or legitimate Windows files, please disregard the scan results and do not purchase the program.

 

 

Antivirus Protection 2012 screen shot
Antivirus Protection 2012 screen shot
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.

 

While running, Antivirus Protection 2012 will also display fake security alerts on your computer. These alerts are designed to make you think that you have a severe computer infection or that your computer is sending private data to a remote location. The text of these alerts include:

Security Center
Unauthorized remote connection!
Your system is making an unauthorized personal data transfer to a remote computer!
Warning! Unauthorized personal data transfer is detected! It may be your personal credit card details, logins and passwords, browsing habits or information about files you have downloaded.
To protect your private data, please click “Prevent Connection” button below.

You have been infected by a proxy-relay trojan server with new and danger “SpamBots”.
You have a computer with a virus that sends spam.
This is a mass-mailing worm with backdoor thus allowing un-authorized access to the infected system.
It spreads by mass-mailing itself to e-mail addresses harvested from the local computer or by querying on-line search engines such as google.com.
The IP <ip address> address that YOU are getting from Internet Service Provider (ISP) for YOU personal computer is on some major blacklist.
Your computer has been used to send a huge amount of junk e-mail messages during the last days.
You IP <ip address> will be marked in the Police log file as mass-mailing spam assist.
Upgrading to the full version Antivirus Protection 2012 it will eliminate the majority of Spam attempts.

Antivirus Protection 2012
Your computer is being used as spamming machine. You can get sued for spam. Your computer WIL BE DISCONNECTED FORM <sic> INTERNET BECAUSE SPAMMING OTHER PCs.

Security Center Alert
To help protect your computer, Security Center has blocked some features of this program.
Do you want to block this suspicious software?
Name: Sft.Dez.Wien
Risk: High

Last, but not least, when you attempt to run the wordpad.exe, mspaint.exe, winword.exe, excel.exe, msaccess.exe, powerpnt.exe, firefox.exe, opera.exe, or wmplayer.exe executables, this infection will close the program and display a fake message stating that the program is infected:

Antivirus Protection 2012
The application excel.exe was launched successfully but it was forced to shut down due to security reasons. This application infected by a malicious software program which might present damage for the PC. It is highly recommended to make a full scan of your computer to exterminate the malicious programs from it.

Just like the fake scan results, all of these alerts and the browser hijacking are fake and are only being shown to scare you into purchasing the program.

Without a doubt, this program was developed to scare you into thinking that your computer has a serious computer security problem so that you will then purchase it. Therefore, do not purchase Antivirus Protection 2012 for any reason, and if you already have, please contact your credit card company and state that the program is a computer virus and a scam and that you would like to dispute the charge.