Avoid Housecalls From Rogue ‘Malware Doctor’
Friday June 5, 2009 at 7:02 am CST
Posted by Avelino Rico Jr
Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan with our DAT 5635.
The new variant comes from the following web pages:
hxxp://internetware-sa{blocked}.com/
hxxp://mal-ware{blocked}.net
As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.
We also noticed some new features in Malware Doctor. Once installed, it performs a system scan:
Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.
Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only few detections so users will not be very suspicious of it.
Once this Trojan detects a supposedly malicious file, it will pop up a message:
This Trojan even makes use of McAfee’s malware naming convention:
This Trojan also displays information of supposedly known viruses whose information is taken from McAfee’s Virus Information Library.
As of today, the malicious website hosting this Trojan makes use of another AV vendor’s malware naming convention. However, the installer for this Trojan no longer exists on the Trojan’s website.
Affected VirusScan users may remove this threat using the latest DATs and engine.
Keep your AV signatures up to date!
June 5th, 2009 at 09:03
Do you have any suggestions on how to persuade less tech-savvy users how to avoid rogue security programs like this?
June 5th, 2009 at 15:09
[...] Malware Doctor – Another Rogue program to avoidhttp://www.avertlabs.com/research/blog/index.php/2009/06/05/yet-another-rogue-security-program/http://vil.nai.com/vil/content/v_140346.htm [...]
October 27th, 2009 at 10:51
[...] Computer Security Research – McAfee Labs Blog [...]