Scareware Tricks Users Into Removing Antivirus Software

Symantec Wednesday issued a warning about AnVi Antivirus, a new "retrovirus," aka anti-antivirus, designed to kill legitimate antivirus software. AnVi Antivirus is part of a social engineering attack designed to trick users into getting rid of antivirus products from such software vendors as AVG, Spyware Doctor, Symantec, Microsoft, and Zone Labs.

The trick up the software's sleeve is that it actually uses legitimate antivirus programs' own uninstallers to get users to uninstall the software.

In particular, if a user executes a malicious file -- generally dubbed Trojan.FakeAV by Symantec -- it launches a system-level popup window warning them that their currently installed antivirus product isn't certified and is compromising system performance, and should be uninstalled. Regardless of whether or not a user clicks "ok" or simply closes the window manually, AnVi then launches the legitimate antivirus software's uninstaller. At that point, a user would need to click the actual "uninstall" button for the software to be removed.

Interestingly, the malicious file -- which may be installed by malware, drive-by downloading, visiting fake antivirus websites, or come bundled with other software -- actually searches out currently installed antivirus software in the Windows registry subkey, then "launches the uninstaller for certain legitimate antivirus software," said Symantec.

At the same time, the malicious file attempts to download AnVi Antivirus, a new clone of retrovirus CoreGuardAntivirus2009, not to be confused with the Vormetric technology of the same name. Once activated, "the program reports false or exaggerated system security threats on the computer," said Symantec. "The user is then prompted to pay for a full license of the application in order to remove the threats."

However, the fake antivirus program itself is the threat, and provides no antivirus functionality.