This month we add the rogue security program that we call Win32/Fakeinit to the list of malware families removed by MSRT. David wrote about Fakeinit a few months ago and it hasn't really changed since then. It's still calling itself "Internet Security 2010" and "Security Essentials 2010". We should expect to see "Security Essentials 2011" to show up soon.
Fakeinit uses the old one-two punch of first trying to convince you that there's malware all over your system, then offering a scanner that can detect and remove it - once you pay. Fakeinit separates these functions into two components. The first component changes the desktop background to something like this:
This component also terminates a whole bunch of programs as soon as they run. It doesn't do this to protect itself - the programs it kills include calc.exe, word.exe and freecell.exe - but rather to convince you that you are infected and generally make the machine hard to use in the hope of annoying you into paying for the scanner. Of course, Fakeinit downloads and installs the "scanner" (the second component) for you. The scanner reports more infections and tells you how to fix them by giving your money away.
If you do decide to pay, you're giving away not just your money, but also some pretty sensitive information including your name, address and credit card details. The page is not secured, meaning these details could be intercepted, but the real question is "what else will the makers of Internet Security 2010 do with this information?"
At best, you are likely to be charged more than you expected. Hidden at the bottom of the page, below the "proceed payment" button, are options for a "lifetime license" and "firewall and email protection" that are already selected for you. Together they add another $39.90 to the price. This is another classic rogue trick.
Fakeinit is also known to download Win32/Alureon, but in the MMPC lab these days we often say that "everything downloads Alureon". This isn't true of course, but it seems that way at times - Alureon is undoubtedly installed by more distinct malware families than anything else.
-- Hamish O'Dea