This month we’ve added two more rogue families to the Malicious Software Removal Tool (MSRT) – Win32/FakeVimes and Win32/PrivacyCenter. Both have been around since early 2009, but have become more prevalent in the last few months.
Win32/FakeVimes has gone through a lot of different names, usually with two or three active at any given time. Currently it’s calling itself Windows System Defender and Windows Enterprise Suite. Its interface may look familiar even if you’ve never had the misfortune of being affected by the malware - it has copied elements of the Windows Defender and Windows Security Center UIs and its activate* button includes an imitation of the Genuine Microsoft Software logo.
In addition to the usual reports of non-existent malware, some variants of FakeVimes display imitation User Account Control (UAC) dialogs, with a recommended option of “protect”. Clicking “protect” just leads to another dialog asking you to activate*. Sometimes FakeVimes also claims to detect spambot behaviour. In this case, it uses the Microsoft Office logo in an attempt to make its warnings appear more credible.
Win32/PrivacyCenter hasn’t gone through anywhere near as names as FakeVimes. It started off calling itself Privacy Center, changed to Privacy Components and now goes by Safety Center. PrivacyCenter looks quite primitive compared to most modern rogues. Sometimes it even reports its own files as malware.
Some variants of PrivacyCenter make themselves the default shell application, so when you reboot you might find that the trojan runs instead of Explorer.
Both Win32/FakeVimes and Win32/PrivacyCenter are distributed through fake online scanners, similar to those used by most other rogues.
-- Hamish O'Dea
* As with most rogues, “activate” means pay.