My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


aprox 17 kb


This is a web-based piece of malware which tricks the user by making false assumptions about the security of their system.
While surfing, you might be directed from various sources ( spam, hidden redirections on shady webpages, malware already present on your computer ) to an allegedly online scanning tool used for malicious software detection.

Before the scan starts, it's noticeable the intent of giving the false impression that the user is infected from these pictures displayed on the webpage.

The scan process of the system takes about 10 seconds, during which the alleged scanner detects an incredible amount of  thousands of malicious files, although it doesn't even access any of these on the so-called infected computer. All this is neatly put together in a Microsoft Theme, actually using the company name in the last pop-up that warns of infection. All in all, an inexperienced user could be tricked into downloading the malware pushed by the website.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The detected website  hosting malware can be found on the Internet on different domains, but the mechanism is always the same : display false adverts in order to trick the user into downloading and installing another malware which is a rogue antivirus ( usually XP Antivirus clones ) or one of its downloaders. We call this kind of threat Trojan.FakeAlert .

If we look into the source code we can see that the scan consists in enumerating an array found in fileslist.js. From the same file it takes the names of detections, that are usually taken from reliable antivirus sources. But even before the so-called scan we can see a picture of "results" (screenshot below).

This "fakealert" campaign that exists on the Internet for some time now uses a predefined template for the background files :
http://[scanner_site]/[year]/[version_of_malware]/_freescan.php?id=[number]. If we change the [version_of_malware] we get another display which ultimately uses the same scheme.
It is sometimes amusing that malware creators come up with new names for [scanner_site] daily. If you have the word "scan" or "xp" or "av" or "2008/9" or variations of known trusted websites in the host name it could be owned by the malware distributors. Here is an example : hxxp:// and a big list could start here.

If the user wants to close the pop-ups or message boxes it receives this message : "Dont close this window if you want your PC to be clean." or urges him to finish the alleged scan "ATTENTION! You have not completed the virus scan! Your PC is still infected with spyware! Please return to [substituted] and download Antivirus 2009 scanner."

Ultimately, this is just an annoying and simple infection method which is sustained by the builders because it is effective.