MS Antivirus (malware)

MS Antivirus
Developer(s)	Bakasoftware (developer name:Gavril Danilkin alias "krab"), Innovagest2000, Innovative Marketing Inc.(Jain Shaileshkumar, Bjorn Daniel, etc)
Operating system	Microsoft Windows
Type	Rogue software

Last updated May 14, 2024

MS Antivirus (also known as Spyware Protect 2009 and Antivirus XP 2008/Antivirus2009/SecurityTool/etc) is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Names

Many clones of MS Antivirus that include slight variations have been distributed throughout the web. They are known as XP Antivirus,^[2] Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Action, Antivirus Pro 2009, 2010, 2017 or simply just Antivirus Pro, Antivirus 2007, 2008, 2009, 2010, 2011, and 360, AntiMalware GO, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Spyware Protect 2009, Winweb Security 2008, Antivirus 10, Total Antivirus 2020, Live Protection Suite, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2008, XP AntiSpyware 2008, 2009 and 2010, Antivirus Vista 2010, Real Antivirus, WinPCDefender, Antivirus XP Pro, Anti-Virus-1, Antivirus Soft, Vista Antispyware 2012, Antispyware Soft, Antivirus System PRO, Antivirus Live, Vista Anti Malware 2010, Internet Security 2010, XP Antivirus Pro, Security Tool, VSCAN7, Total Security, PC Defender Plus, Disk Antivirus Professional, AVASoft Professional Antivirus, System Care Antivirus, and System Doctor 2014. Another MS Antivirus clone is named ANG Antivirus. This name is used to confuse the user of the software into thinking that it is the legitimate AVG Antivirus before downloading it.^[3]

Symptoms of infection

SWP '09 "protecting" the user from microsoft.com. Notice that the font is different than what Internet Explorer usually uses. SpywareProtect09block.PNG — SWP '09 "protecting" the user from microsoft.com. Notice that the font is different than what Internet Explorer usually uses.

Each variant has its own way of downloading and installing itself onto a computer. MS Antivirus is made to look functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to "purchase" it. In a typical installation, MS Antivirus runs a scan on the computer and gives a false spyware report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware ‘found’ and the user either has to click on a link or a button to remove it. Regardless of which button is clicked -- "Next" or "Cancel"—a download box will still pop up. This deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase MS Antivirus. If the user decides not to purchase the program, then they will constantly receive pop-ups stating that the program has found infections and that they should register it in order to fix them. This type of behavior can cause a computer to operate more slowly than normal.

MS Antivirus will also occasionally display fake pop-up alerts on an infected computer. These alerts pretend to be a detection of an attack on that computer and the alert prompts the user to activate or purchase the software in order to stop the attack. More seriously it can paste a fake picture of a Blue Screen of Death over the screen and then display a fake startup image telling the user to buy the software. The malware may also block certain Windows programs that allow the user to modify or remove it. Programs such as Regedit can be blocked by this malware. The registry is also modified so the software runs at system startup. The following files may be downloaded to an infected computer:^[4]

MSASetup.exe
MSA.exe
MSA.cpl
MSx.exe

Depending on the variant, the files have different names and therefore can appear or be labeled differently. For example, Antivirus 2009 has the .exe file name a2009.exe.^{[ citation needed ]}

In addition, in an attempt to make the software seem legitimate, MS Antivirus can give the computer symptoms of the "viruses" that it claims are on the computer.^[5] For example, some shortcuts on the desktop may be changed to links of sexually explicit websites instead.

Malicious actions

Most variants of this malware will not be overtly harmful, as they usually will not steal a user's information (as spyware) nor critically harm a system. However, the software will act to inconvenience the user by frequently displaying popups that prompt the user to pay to register the software in order to remove non-existent viruses. Some variants are more harmful; they display popups whenever the user tries to start an application or even tries to navigate the hard drive, especially after the computer is restarted. It does this by modifying the Windows registry. This can clog the screen with repeated pop-ups, potentially making the computer virtually unusable. It can also disable real antivirus programs to protect itself from removal. Whichever variant infects a computer, MS Antivirus always uses system resources when running, potentially making an infected computer run more slowly than before.

The malware can also block access to known spyware removal sites and in some instances, searching for "antivirus 2009" (or similar search terms) on a search engine will result in a blank page or an error page. Some variants will also redirect the user from the actual Google search page to a false Google search page with a link to the virus' page that states that the user has a virus and should get Antivirus 2009. In some rare cases, with the newest version of the malware, it can prevent the user from performing a system restore.

Earnings

In November 2008, it was reported that a hacker known as NeoN hacked the Bakasoftware's database, and posted the earnings of the company received from XP Antivirus. The data revealed the most successful affiliate earned USD$158,000 in a week.^[6]^[7]

Court actions

On December 2, 2008, the U.S. District Court for the District of Maryland issued a temporary restraining order against Innovative Marketing, Inc. and ByteHosting Internet Services, LLC after receiving a request from the Federal Trade Commission (FTC). According to the FTC, the combined malware of WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus has fooled over one million people into purchasing the software marketed as security products. The court also froze the assets of the companies in an effort to provide some monetary reimbursement to affected victims. The FTC claims the companies established an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements.

According to the FTC complaint, the companies charged in the case operated using a variety of aliases and maintained offices in the countries of Belize and Ukraine (Kyiv). ByteHosting Internet Services is based in Cincinnati, Ohio. The complaint also names defendants Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno in its filing, along with Maurice D’Souza, who is named Relief Defendant, for receiving proceeds from the scheme.^[8]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows. Dating back to the first Adwares in 2000, Spybot scans the computer hard disk and/or RAM for malicious software.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

AVG AntiVirus is a line of antivirus software developed by AVG Technologies, a subsidiary of Avast, a part of Gen Digital. It is available for Windows, macOS and Android.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

A registry cleaner is a class of third-party utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

PC Tools, formerly known as WinGuides.com, was a software company acquired by Gen Digital formerly Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, the United States, United Kingdom, Ireland and Ukraine. The company had previously developed and distributed security and optimization software for the Mac OS X and Microsoft Windows platforms.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

References

↑ "How to remove MS Antivirus". BleepingComputer.
↑ Seltzer, Larry. "MS Antivirus 2008 morphed from XP Antivirus 2008". PC Magazine. Archived from the original on 2008-09-12. Retrieved 2008-09-23.
↑ ANG AntiVirus 09 Remover at Spyware Removal Tools Accessed October 24, 2010
↑ "MS Antivirus". ca.com. Archived from the original on 2009-01-13.
↑ Vincentas (16 July 2013). "MS Antivirus in SpyWareLoop.com". Spyware Loop. Retrieved 28 July 2013.
↑ Stewart, Joe. "Rogue Antivirus Dissected - Part 2". SecureWorks. Retrieved 24 February 2016.
↑ "Bakasoftware Russian Scareware Named and Shamed By Hacker". IT Security NEWS. SecPoint. 31 October 2008. Archived from the original on 10 January 2010. Retrieved 8 March 2010.
↑ "Court Halts Bogus Computer Scans". Federal Trade Commission. December 10, 2008. Retrieved 2009-01-19.

External links

XP Antivirus 2009 Description and Removal instructions Archived 2009-05-10 at the Wayback Machine on About.com

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "How to remove MS Antivirus". BleepingComputer.

[2] Seltzer, Larry. "MS Antivirus 2008 morphed from XP Antivirus 2008". PC Magazine. Archived from the original on 2008-09-12. Retrieved 2008-09-23.

[3] ANG AntiVirus 09 Remover at Spyware Removal Tools Accessed October 24, 2010

[4] "MS Antivirus". ca.com. Archived from the original on 2009-01-13.

[AAA-5] Vincentas (16 July 2013). "MS Antivirus in SpyWareLoop.com". Spyware Loop. Retrieved 28 July 2013.

[6] Stewart, Joe. "Rogue Antivirus Dissected - Part 2". SecureWorks. Retrieved 24 February 2016.

[secpoint31102008-7] "Bakasoftware Russian Scareware Named and Shamed By Hacker". IT Security NEWS. SecPoint. 31 October 2008. Archived from the original on 10 January 2010. Retrieved 8 March 2010.

[ftcfile-8] "Court Halts Bogus Computer Scans". Federal Trade Commission. December 10, 2008. Retrieved 2009-01-19.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Microsoft security products
Numbers in brackets are the years of the initial release of the product.
For Windows	Windows Firewall [2001] Baseline Security Analyzer [2004] Malicious Software Removal Tool [2005] Microsoft Defender [2006] Microsoft SmartScreen [2006] Microsoft Safety Scanner [2011]
For Windows Server	Exchange Online Protection [2007] System Center Data Protection Manager [2007] Identity Manager [2010]
Discontinued	MSAV [1993] Threat Management Gateway [1997] Microsoft Security Essentials [2009] OneCare Safety Scanner [2006] Unified Access Gateway [2007] Windows Live OneCare [2006] RootkitRevealer [2006] Enhanced Mitigation Experience Toolkit [2009]
Related topics	Data Execution Prevention Kernel Patch Protection Mandatory Integrity Control MS Antivirus (malware) User Account Control