Scareware Tricks Users Into Removing Antivirus Software - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure // PC & Servers

Scareware Tricks Users Into Removing Antivirus Software

Version of the widespread "retrovirus" CoreGuard Antivirus, called AnVi Antivirus, aims for many well-known AV programs, warns Symantec.

Slideshows: 12 CIOs' 'Career Killer' Pet Peeves
(click for larger image and for full photo gallery)
Symantec Wednesday issued a warning about AnVi Antivirus, a new "retrovirus," aka anti-antivirus, designed to kill legitimate antivirus software. AnVi Antivirus is part of a social engineering attack designed to trick users into getting rid of antivirus products from such software vendors as AVG, Spyware Doctor, Symantec, Microsoft, and Zone Labs.

The trick up the software's sleeve is that it actually uses legitimate antivirus programs' own uninstallers to get users to uninstall the software.

In particular, if a user executes a malicious file -- generally dubbed Trojan.FakeAV by Symantec -- it launches a system-level popup window warning them that their currently installed antivirus product isn't certified and is compromising system performance, and should be uninstalled. Regardless of whether or not a user clicks "ok" or simply closes the window manually, AnVi then launches the legitimate antivirus software's uninstaller. At that point, a user would need to click the actual "uninstall" button for the software to be removed.

Interestingly, the malicious file -- which may be installed by malware, drive-by downloading, visiting fake antivirus websites, or come bundled with other software -- actually searches out currently installed antivirus software in the Windows registry subkey, then "launches the uninstaller for certain legitimate antivirus software," said Symantec.

At the same time, the malicious file attempts to download AnVi Antivirus, a new clone of retrovirus CoreGuardAntivirus2009, not to be confused with the Vormetric technology of the same name. Once activated, "the program reports false or exaggerated system security threats on the computer," said Symantec. "The user is then prompted to pay for a full license of the application in order to remove the threats."

However, the fake antivirus program itself is the threat, and provides no antivirus functionality.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
10 Ways to Prepare Your IT Organization for the Next Crisis
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/20/2020
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll