The rise of fake antivirus programs began in early 2006, or it may even be late 2005, when widespread programs like Winfixer and SpySheriff started computer infection marathon.
The first rogue programs were infecting computers through trojans, which were able to generate security warnings (also known as fake alerts), very similar to those displayed by Windows OS. If the victim is not very keen of computer literacy, fake alert will sidetrack his attention towards inadequate offer, suggesting to solve outstanding problem. To respond, user will be asked to click on the warning, which leads to rogue program download and installation, and finally – purchase.
Today, fake programs will use much more confused methods to deceive the victim. In fact, we hardly can call it a program – the way it is installed on the machine differs from any other ordinary program. Rather than installing, a few malicious files are dropped on victim’s computer. But now about fraudulence methods.
Fake programs will disable Windows Task Manager, Registry Editor, Command Prompt and even trusted antivirus program. There have been cases that all .exe files were blocked, except iexplore.exe (internet browser) needed to pay for rogue program. So, what changes are made in computer system to obtain such a result? The main territory where malicious actions are being performed is Windows registry. A lot changes are made in Windows system registry such as creating new values, which contain addresses pointing to malicious files, located somewhere on hard drive. The file in turn will perform unwanted actions in order to obtain desirable intentions. Deleting the file is not the most reasonable thing to do – malicious files are able to regenerate after computer restart or even right after it has been removed. Besides creating or modifying file location strings in system registry, rogue program may alter other kind of strings to achieve unkind results, such as disabling Task Manager. Blocking Task Manager results in disabling user from killing malicious processes. Sometimes, any of the problem mentioned above can be fixed by just modifying one particular registry key.
Other very effective misleading method is fake Windows “My Computer” window, trying to make an impression, that local hard disks and folders (like My Documents) are containing trojans and viruses. Actually, the window is displayed through internet browser, where correspondent website is loaded. The trick is done by the play of images. Imagine, you print screen “My Computer” window and put it on your website, with the same title.
To sum up, each rogue program is making different changes to the system. Every time new rogue appears, anti-spyware companies search for removal methods. In the case of infection, users are advised to start a new forum thread and post Hijackthis log in order to see what is causing the problems in victim’s computer. After, computer experts analyzes the log, they are able to suggest malware removal tools to remove particular threat (virus, trojan or malware).