• On TechRepublic: 10 cool USB flash drive tricks
February 23, 2009 4:13 PM PST

New scareware sends you to fake Download.com reviews

by Seth Rosenblatt
  • Font size
  • Print
  • 30 comments

Last week, BleepingComputer.com reported on how to remove a new variant of an old scareware. This new nasty, known most commonly as Antivirus2010 or Anti-Virus-1, points you to spoofed versions of Download.com, ZDNet, PCMag.com, and other software sites, demanding that you download their program to clean your computer. Of course, it does nothing of the sort, merely perpetuating the infection.

Antivirus2010, Anti-Virus-1, and other variants of the AntivirusXP infection have never been hosted on Download.com.

(Credit: Seth Rosenblatt/CNET Networks)

However, the manner and methods Anti-Virus-1 uses to get you there are extremely clever. The infection part of the malware does whatever it's been designed to do, so you can see that you've been infected with malware. What you don't realize at this point is that it's hacked your hosts file, too, so that when you go to a software site you don't ever make it to the site you're trying to get to.

You wind up on a skinned Web site that looks like the site you're expecting, but isn't. With the Download.com spoof, you can see that they're using our old design, which CNET abandoned last summer. Clicking on any link besides the download button will take you to the same page that the legitimate site would've taken you to. Hit the download button, though, and you get their fake malware remover, which in fact does the opposite, perpetuating the infection.

Removing the infection is tricky because of the differences between the variants. Some people have complained that they get locked out of their Task Manager, for example, but not all reports include that complaint. The fix that I cited for Antivirus XP 2008 may work, but users who have Windows XP Home Edition don't have a gpedit.msc. Home Edition users will have to edit their Registry directly.

Malwarebytes' Anti-Malware has proven to be one of the few malware killers that can effectively remove Antivirus XP 2008 and its variants, and it should work against the latest ones, too. The First Look video of Malwarebytes' Anti-Malware on the right will help you get started with the program.

Keep in mind that there is no substitute for cautious browsing. Don't install every Facebook app that comes your way, don't click on ads on unfamiliar sites or sites that are known vectors for attacks, and don't install software from anybody that's not a vouchsafed source.

I've pasted below the entire list from BleepingComputer of changes to your hosts file for your edification. Be warned that it may change as variants are developed.

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com

O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com

O1 - Hosts: 217.20.175.74 a1.review.zdnet.com

O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com

O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com

O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com

O1 - Hosts: 217.20.175.74 www.reviews.download.com

O1 - Hosts: 217.20.175.74 reviews.download.com

O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk

O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk

O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com

O1 - Hosts: 217.20.175.74 reviews.pcmag.com

O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk

O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk

O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com

O1 - Hosts: 217.20.175.74 reviews.reevoo.com

O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk

O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk

O1 - Hosts: 217.20.175.74 www.reviews.techradar.com

O1 - Hosts: 217.20.175.74 reviews.techradar.com

(Via Ars Technica)

Seth peers into the deep, dark corners of software so that you don't have to. He has yet to suffer a single nightmare about OS/2. You can follow him on Twitter.
Topics:

Security and spyware,

Windows Software

Tags:

Antivirus XP 2008,

virus,

malware,

Trojan,

howto-security,

Anti-Virus-1,

Antivirus2010,

Malwarebytes' Anti-Malware

Share:
Digg
Del.icio.us
Reddit
Recent posts from The Download Blog
Log in with your face
See what's under McAfee's new interface
Tales2Go: Get on-demand audiobooks for children
Microsoft, Google split over browser bug bounty
Mozilla plans to drop Mac OS X 10.4 support
TweetDeck gets a few tweaks
Adobe promises faster Flash on Macs
Security software maker Vitamin D exits beta
Add a Comment (Log in or register) Showing 1 of 2 pages (30 Comments)
by BigGuns149 February 23, 2009 4:43 PM PST
This is a pretty cheap shot, albeit personally I won't download any product that I hadn't heard of before without doing some research into the quality of said software. Especially when software uses a name remarkably similar to a notable piece of malware I would take a very suspect view of the software.<br /><br />Honestly, I am a bit surprised that CNET's download.com is as popular as it is. Historically CNET has often been slow to update their listings to the most current listings and many of the user reviews are often worse the useless because in some cases they contain inaccurate or deceptive information (eg. this software has spyware). I think that Betanews.com's Fileforum tends to provide more up to date versions of software with better reviews.<br /><br />Nevertheless the creators of this malware clearly were bright to target a popular site.
Reply to this comment
by jabberwockgee February 23, 2009 7:43 PM PST
It's popular enough to attract people who don't even like it to post random-ass comments.
by BigGuns149 February 24, 2009 4:08 PM PST
You do realize that a lot of people arrive at stories via social news sites (eg. Reddit, Digg, etc.) that don't regularly visit any of CNET sites. A new web scam is news regardless of who posted the story.
by Nardley February 24, 2009 7:10 PM PST
Back in the win 95 days zdnet was king, Cnet has been the most reliable and best updated site for years now. This doughhead probably works for betanews and is probably just trying to steal some of cnet's well deserved thunder. I've been through all the variants of the fake avg except 2010. even though 'Hijack This' was created for the original fake a/v prog that evolved into this crap it still does the job, and you can get it at cnet.com, as i did. Cnet was the first site which provided information and the cure for these types of malware. I've used software d/l'd from cnet to repair hundreds of comps without a single glitch or complaint. I also use it more than any other resource to stay abreast of the industry. Thank You Cnet from myself and every one of my customer's who benefit from your work.
by Nardley February 24, 2009 7:11 PM PST
Oh, and the rules say no advertising 'big guns'. being a veteran i get a kick out of people who use names like that. Invariable under equipped.
by Gasaraki February 25, 2009 7:35 AM PST
I've used download.com for so many years. I remember that they used to host files with adware and spyware built in to them but then started the campaign where they will make sure none of the program they hosted contain any spyware, adware, malware, etc. Download.com hasn't let me down yet.<br /><br />Thanks CNET.
by mrkaedis February 24, 2009 6:13 PM PST
Good info thanx for the heads up, regardless of dunderheaded comments by selfimportant nobodys
Reply to this comment
by bergyo1 February 24, 2009 6:14 PM PST
How am I supposed to know if I;ve been sent to a re-directed site????
Reply to this comment
by Nardley February 24, 2009 7:26 PM PST
Real anti-virus, anti spyware and anti-malware doesn't spam advertise or redirect you anywhere. Thats the first and last clue. Anti-virus 2008 and 2009 do pop up a fake 'windows security' icon in your task bar and if you click it you even get a fakey windows security center page.
by thebug February 24, 2009 6:43 PM PST
What about the sites that start automatically start scanning your computer (ha! not actually, just shows a screen like exployer and your hard drive) and I have to use task manager to shut down my browser!!!!!
Reply to this comment
by Nardley February 24, 2009 7:24 PM PST
download 'Hijack This' but don't install yet. reboot in safe mode and delete "anti-Virus 2008" or whatever variant from the add/remove programs in your control panel (if you are lucky enough to have one of the lazy scammers malwares). reboot again to get out of safe mode and install 'hijack this'. Its very self explanitory and easy to use. <br /> <br />2nd solution, if iy has a name google it and you'll find the fix from the good guys. (thats how i repaired my first instance of it). <br /> <br />3rd solution, format C: and reinstall everything.
by Jympton2 February 24, 2009 7:12 PM PST
by BigGuns149 February 23, 2009 4:43 PM PST<br /> "This is a pretty cheap shot..."<br /><br />Indeed it is, old chap, very cheap of you indeed.
Reply to this comment
by Nardley February 24, 2009 7:16 PM PST
He's shooting blanks tho.
Reply to this comment
by sheba94601 February 24, 2009 7:53 PM PST
That happened to me when I was ordering Trend Micro (switched over to a fake credit card site) but my bank straightened me out. These idiots also make fake pages that look like you're on your bank's website. Wells Fargo was hit 3 x's last yr. I lost the link I had to a website that informed us on what sites get hit yearly (when I had to do a system restore). Most tellers actually believe their employer's sites are safe but recently WF have been informing customers on how to make sure they are actually on a secure website. I learned a big lesson &#38; now use CallingID (dL from download.com) which I put on all pc's I fix for friends, and McAfee SiteAdvisor. CallingID operates from your toolbar &#38; tells you the owner &#38; server location (street add. also) of the website your on. You can even google the address in googe maps, lol, to make sure it's legit!
Reply to this comment
by February 25, 2009 9:24 PM PST
Whenever entering your bankīs website use a trick by always typing first a WRONG password. IF itīs accepted, that proves itīs a fake page, considering that crackers donīt know your correct password. If the wrong password is not accepted, then it proves you are in the right website. Makes sense?
by jahvada February 24, 2009 8:13 PM PST
My brother's family computer is infected with Antivirus XP 2010. I installed Malwarebytes' Anti-Malware, had it scan the computer, and it found plenty of other viruses and trojan horses and successfully cleaned those out, but Antivirus XP 2010 is still there. So I deactivated the startup file and deleted what files I could, but I don't know how to find all the deep-nested files and registry keys where parts of the program are still located. I guess I'll have to reformat the hard drive. What a pain!
Reply to this comment
by mguyler February 24, 2009 10:20 PM PST
I have yet to read an article that tackles what seems to me to be obvious. If scams like this are collecting money from the unwary, why cant we find out who they are? Surely there is a paper-trails. I have never even read where these scammers are, however some seem to user servers in countries that do have laws. WE should be doing more to track these culprits down. I know, I know, it costs money and who will pay? Nevertheless if all we ever do is fix the symptoms of this disease then eventually it will take us down.
Reply to this comment
by doodeee February 25, 2009 5:40 AM PST
i am new to all this computer business ..i am frightened by all the scammers and there are a lot of them i guess. i am 74 years old and i can't catch up with all the new things (how do i format my c drive <br />for instance. i was going to get some cd from video professor these cd are expensive can i get the samething that is more economical???? howiepooll@yahoo.com
Reply to this comment
by wanderlustfl February 25, 2009 7:09 AM PST
I hope the admins are watching this. Dooodeee's e-mail address should really be removed. He's probably already received hundreds if not thousands of spam e-mails.<br /> <br />Suggest, Dooodeeen you enrol for evening classes for seniors in computing. Most colleges run these and they are frequently free.
by ken1129 February 25, 2009 7:08 AM PST
How do I know this is the real Download.com and not a fake site....HHHMMM?
Reply to this comment
by wanderlustfl February 25, 2009 7:40 AM PST
By the way, I have had a lot of success in removing this malware with Spy Emergency from Netgate Technologies, and can't praise this application enough. I run it in partnership with F-Secure Internet Suite or Kaspersky Internet Suite, and add in Bill P Studios' Win Patrol (little scottie dog) and Peer Guardian 2 (Spyware lists) and have only ever had infections when I have disabled AV and antispyware to open a file they wouldn't let me open (how crazy is that ?). Kaspersky and F-Secure are the No1 equal in AV suites in my opinion, although F-Secure reports less false positives than Kaspersky. <br />To remove these PIAs, run a Spy Emergency scan (it WILL take a while, fighting for resources with the false AV), then reboot into Safe Mode with Networking and do an online scan from F-Secure or Kaspersky, as you obviously don't have these installed if you got the thing in the first place !<br />To be fair, Norton DOES get the earlier versions of these fake AVs too.<br />All the apps mentioned can be found on Download.com.
Reply to this comment
by zepper February 25, 2009 9:15 AM PST
I use the enhanced HOSTS file from http://www.mvps.org/winhelp2002/hosts.htm which short-circuits calls to many useless sites and I add my own to it so sites I visit regularly have better performance (mainly to block their ad/banner servers). I also set the HOSTS file to Read Only - I'm sure it's no problem for malware hackers to bypass this little protection, but perhaps it gives a bit of further security.<br />. I've just started using the MalwareBytes utility, but it seems to be a useful addition to the arsenal.<br /><br />.bh.
Reply to this comment
by CircaSurvive February 25, 2009 9:18 AM PST
My father had this on one of his office computers. I also had to deal with it on a few machines in my office. It was awful to get rid of. If you have it and have come across this article. Consider yourself lucky.
Reply to this comment
by 0zSpit February 25, 2009 12:58 PM PST
i intentionally installed antivirus2009 (haven't come across 2010 yet) because everyone had horror stories about it. other than the trojan that encrypts your hard drive this one has got to be one of the worst i've encountered even on a test computer. malwarebytes was the only program i found that could remove most of it. even IF it was removed, your OS is left with some damage to where a reinstall was the easiest fix i could do. note; i tested antivirus2009 without any antivirus running to see the full scope of the infection.
Reply to this comment
by duderedman February 26, 2009 4:54 PM PST
check out bufferzone - http://www.trustware.com - virtualizes the web so you can't download bad stuff like this. great for kids too - they can click on anything, download anything, whatever, without screwing up the computer. and no lag times for antivirus signatures to update.<br /><br />it's been a real lifesaver for malware - highly recommended.
Reply to this comment
by progsutils February 26, 2009 10:06 PM PST
I actually have a question for you. Solets say I get infected with malware, or virus, does reloading windows xp totally eradicate and remove all evidence or remnants of all known lets just say annoyances?
Reply to this comment
by styles11 February 27, 2009 2:16 AM PST
I once tried to find out all this hype about antivirus XP and so forth, i even tried installing it and seeing what it would do but to be honest nothing happened my computer just restarted itself and when it came back on it was just like before. I believe the most effective way to stop malware and viruses is to actually take the time to setup your system. these viruses are probably directed at computers that have the default settings for windows
Reply to this comment
by sobral February 27, 2009 3:38 AM PST
I had that dam program but thanks to a user of cnet I got rid of it <br />just instal Super anti spyware free or pro worked like magic
Reply to this comment
by stick joe March 3, 2009 2:18 PM PST
I remember when I USED TO get that type of scareware message on my computer "You have an infection. Install this to get rid of it"..yeah right!<br /><br />Since I no longer surf with my admin account, it's amazed me that I NEVER get those anymore.<br /><br />People shouldn't surf with their admin accounts-- this is WHY they're getting these things.
Reply to this comment
Showing 1 of 2 pages (30 Comments)

Search Download Blog posts

About The Download Blog

Download.com editors cover the world of downloadable software and beyond.

Add this feed to your online news reader

The Download Blog topics

download
Site map
Help center
Our software policies
Newsletters
Submit software
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
CNET Widgets
Customer Help Center
RSS
CNET API
About CNET