A new development on the rogue antivirus campaign was recently discovered. It seems that the latest version of these rogue programs has found a new face. The current buzz is that this application is the latest rogue anti-spyware program victimizing unknowing users by extorting money from them by feeding on their worries of (non-existent) system infections. Unfortunate are those who fall prey to these old yet sophisticated scams.
This new version goes by the name of Virus Remover 2008. It was spotted first in the wild in early July of this year, just ten days after its predecessor, Antivirus 2009, was spotted. Not much of a surprise there, since it is a common cyber criminal behavior to change tactics, or to retouch old ones but leave applications functioning essentially the same way.
Antivirus 2009 and Virus Remover 2008 are fairly similar in routines. Figure 1 below is a simple yet comprehensive comparison of the two’s scanning windows:
Figure 1. Comparison between two rogue AV
There are also several notable differences between the two however:
- Virus Remover 2008, unlike its predecessor, now comes with a EULA that mentions what it can and will do to systems once it has been installed. System slowdown and several program terminations due to incompatibilities are just some possible effects users may encounter.
- Virus Remover 2008 already caters to multinational clients as shown by the pages built and written for specific languages and countries — a quality that may denote two things: (a) an attempt to widen client scope (b) an attempt to target clients from specific regions and geographies.
Figure 2. Fake EULA
Virus Remover 2008 also seems to have distanced itself from the Windows-looking interface. It no longer uses the logo which distinctly resembles the one by Windows Security Center. This was done possibly because the old Antivirus 2009 interface is already too familiar to users, and that it might give away the fact that it is a fake antivirus program.
Figure 3. A new, unfamiliar interface
The Trend Micro Smart Protection Network already identifies Virus Remover 2008 as TROJ_FAKEVIR.AN. It also blocks the website powerfulvirusremover2008(dot)com, thus preventing users from accessing the malicious site.