New scareware sends you to fake Download.com reviews

A new variant of a familiar scareware infection introduces a twist--this devious malware hijacks your hosts file to point you to spoofed Web sites.

Last week, BleepingComputer.com reported on how to remove a new variant of an old scareware. This new nasty, known most commonly as Antivirus2010 or Anti-Virus-1, points you to spoofed versions of Download.com, ZDNet, PCMag.com, and other software sites, demanding that you download their program to clean your computer. Of course, it does nothing of the sort, merely perpetuating the infection.

Antivirus2010, Anti-Virus-1, and other variants of the AntivirusXP infection have never been hosted on Download.com.

(Credit: Seth Rosenblatt/CNET Networks)

However, the manner and methods Anti-Virus-1 uses to get you there are extremely clever. The infection part of the malware does whatever it's been designed to do, so you can see that you've been infected with malware. What you don't realize at this point is that it's hacked your hosts file, too, so that when you go to a software site you don't ever make it to the site you're trying to get to.

You wind up on a skinned Web site that looks like the site you're expecting, but isn't. With the Download.com spoof, you can see that they're using our old design, which CNET abandoned last summer. Clicking on any link besides the download button will take you to the same page that the legitimate site would've taken you to. Hit the download button, though, and you get their fake malware remover, which in fact does the opposite, perpetuating the infection.

Removing the infection is tricky because of the differences between the variants. Some people have complained that they get locked out of their Task Manager, for example, but not all reports include that complaint. The fix that I cited for Antivirus XP 2008 may work, but users who have Windows XP Home Edition don't have a gpedit.msc. Home Edition users will have to edit their Registry directly.

Malwarebytes' Anti-Malware has proven to be one of the few malware killers that can effectively remove Antivirus XP 2008 and its variants, and it should work against the latest ones, too. The First Look video of Malwarebytes' Anti-Malware on the right will help you get started with the program.

Keep in mind that there is no substitute for cautious browsing. Don't install every Facebook app that comes your way, don't click on ads on unfamiliar sites or sites that are known vectors for attacks, and don't install software from anybody that's not a vouchsafed source.

I've pasted below the entire list from BleepingComputer of changes to your hosts file for your edification. Be warned that it may change as variants are developed.

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com

O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com

O1 - Hosts: 217.20.175.74 a1.review.zdnet.com

O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com

O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com

O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com

O1 - Hosts: 217.20.175.74 www.reviews.download.com

O1 - Hosts: 217.20.175.74 reviews.download.com

O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk

O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk

O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com

O1 - Hosts: 217.20.175.74 reviews.pcmag.com

O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk

O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk

O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com

O1 - Hosts: 217.20.175.74 reviews.reevoo.com

O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk

O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk

O1 - Hosts: 217.20.175.74 www.reviews.techradar.com

O1 - Hosts: 217.20.175.74 reviews.techradar.com

(Via Ars Technica)

CNET Top 5
Companies Apple could buy with their billions
Apple's sitting on a massive pile of cash. Here are five interesting ways they could spend it.
Play Video
 

Member Comments