Protect yourself from Conficker

The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

If you are an IT professional, please visit Conficker Worm: Help Protect Windows from Conficker.

On This Page

	Is my computer infected with the Conficker worm?
	What does the Conficker worm do?
	How does the Conficker worm work?
	How do I remove the Conficker worm?
	Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

Is my computer infected with the Conficker worm?

Probably not. Microsoft released a security update in October 2008 (MS08-067) to protect against Conficker.

If your computer is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don't have the Conficker worm.

If you are still worried about Conficker, follow these steps:

1. Go to http://update.microsoft.com/microsoftupdate to verify your settings and check for updates.
2. If you can't access http://update.microsoft.com/microsoftupdate, go to http://safety.live.com and scan your system.
3. If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.

Back to Top

What does the Conficker worm do?

To date, security researchers have discovered the following variants of the worm in the wild.

• Win32/Conficker.A was reported to Microsoft on November 21, 2008.
• Win32/Conficker.B was reported to Microsoft on December 29, 2008.
• Win32/Conficker.C was reported to Microsoft on February 20, 2009.
• Win32/Conficker.D was reported to Microsoft on March 4, 2009.
• Win32/Conficker.E was reported to Microsoft on April 8, 2009.

Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.

The Conficker worm can also disable important services on your computer.

In the screenshot of the Autoplay dialog box below, the option Open folder to view files — Publisher not specified was added by the worm. The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

The option Open folder to view files — Publisher not specified was added by the worm.

Back to Top

How does the Conficker worm work?

Here’s an illustration of how the Conficker worm works.

Back to Top

How do I remove the Conficker worm?

If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live safety scanner.

Back to Top

Where can I find more technical information about the Conficker worm and how can I stay up to date on the Conficker worm?

• For additional information, see Centralized Information About the Conficker Worm.
• For more technical information about the Conficker worm, see the Microsoft Malware Protection Center Virus Encyclopedia.
• Bookmark the Microsoft Malware Protection Center portal and the Microsoft Malware Protection Center blog for updated information.
• For symptoms and detailed information about how to remove the Conficker worm, see Help and Support: Virus alert about the Conficker Worm.
• To continue to get updated information on security, sign up for the Microsoft Security for Home Computer Users newsletter.

For more information, see How to prevent computer worms and How to remove computer worms.

Continue Reading...

Stop Win32/Conficker from spreading by using Group Policy settings Notes

• Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
• This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
• You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (SCCM), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
• For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.

Back to the top

Create a Group Policy object

Create a new Group Policy object (GPO) that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.

To do this, follow these steps:

1. Set the policy to remove write permissions to the following registry subkey:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
   This prevents the randomly named malware service from being created in the netsvcs registry value.
   
   To do this, follow these steps:
   1. Open the Group Policy Management Console (GPMC).
   2. Create a new GPO. Give it any name that you want.
   3. Open the new GPO, and then move to the following folder:
      Computer Configuration\Windows Settings\Security Settings\Registry
   4. Right-click Registry, and then click Add Key.
   5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:
      Software\Microsoft\Windows NT\CurrentVersion\Svchost
   6. Click OK.
   7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
   8. Click OK.
   9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   10. Click OK.
2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.
   
   To do this, follow these steps:
   1. In the same GPO that you created earlier, move to the following folder:
      Computer Configuration\Windows Settings\Security Settings\File System
   2. Right-click File System, and then click Add File.
   3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
   4. Click OK.
   5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
   6. Click OK.
   7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   8. Click OK.
3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.
   
   Note Depending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:
   • To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582 (http://support.microsoft.com/kb/950582) installed (described in security bulletin MS08-038).
   • To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582 (http://support.microsoft.com/kb/950582) , update 967715 (http://support.microsoft.com/kb/967715) , or update 953252 (http://support.microsoft.com/kb/953252) installed.
   To set AutoPlay (Autorun) features to disabled, follow these steps:
   1. In the same GPO that you created earlier, move to one of the following folders:
      • For a Windows Server 2003 domain, move to the following folder:
        Computer Configuration\Administrative Templates\System
      • For a Windows 2008 domain, move to the following folder:
        Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies
   2. Open the Turn off Autoplay policy.
   3. In the Turn off Autoplay dialog box, click Enabled.
   4. In the drop-down menu, click All drives.
   5. Click OK.
4. Close the Group Policy Management Console.
5. Link the newly created GPO to the location that you want it to apply to.
6. Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
7. After the Group Policy settings have propagated, clean the systems of malware.
   
   To do this, follow these steps:
   1. Run full antivirus scans on all computers.
   2. If your antivirus software does not detect Conficker, you can use the Malicious Software Removal Tool (MSRT) to clean the malware. For more information, visit the following Microsoft Web page:
      http://www.microsoft.com/security/malwareremove/default.mspx (http://www.microsoft.com/security/malwareremove/default.mspx)
      Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.

Continue Reading...

AppleScript.THT Trojan Horse New OS X Trojan Horse in the Wild SecureMac Security Advisory

Security Risk: Critical

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.

Until a patch is issued for the Apple Remote Desktop Agent exploit, SecureMac classifies the security risk presented by this Trojan horse as high.

Protection: To protect your system against this threat, run MacScan 2.5.2 (MacScan is a product of SecureMac) with the latest Spyware Definitions update (2008011), dated June 19th, 2008. SecureMac recommends that users download files only from trusted sources and sites.

Additional removal instructions and resources will be posted once available.

Resources:
WashingtonPost analysis on AppleScript.THT Trojan Horse

About MacScan:
 MacScan quickly detects, isolates and removes spyware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later, and is compatible with OS X 10.5 (Leopard). For more information, or to download a demo version of MacScan, visit http://macscan.securemac.com.

About SecureMac: 
Since 1999, SecureMac.com has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.

Continue Reading...

How Computer Viruses Work

Strange as it may sound, the computer virus is something of an Information Age marvel. On one hand, viruses show us how vulnerable we are -- a properly engineered virus can have a devastating effect, disrupting productivity and doing billions of dollars in damages. On the other hand, they show us how sophisticated and interconnected human beings have become.

For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. That's pretty impressive when you consider that many viruses are incredibly simple.

When you listen to the news, you hear about many different forms of electronic infection. The most common are:

• Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
• E-mail viruses - An e-mail virus travels as an attachment to e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book. Some e-mail viruses don't even require a double-click -- they launch when you view the infected message in the preview pane of your e-mail software [source: Johnson].
• Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically.
• Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.

­In this article, we will discuss viruses -- both "traditional" viruses and e-mail viruses -- so that you can learn how they work and understand how to protect yourself.

­­

Continue Reading...

Windows virus infects 9m computers

The number of Windows computers infected with the new "downadup" worm – also known as "Conficker" and "Kido" – has exploded to almost 9 million worldwide, from roughly 2.4m last Thursday, according to the computer security company F-Secure.

The growth in the number of infected machines – which the company's researchers called "just amazing" – makes it one of the worst malware outbreaks of the past five years. The principal targets are corporate Windows servers belonging to small businesses who have not installed security updates released by Microsoft last October. F-Secure estimates that a third of all potentially vulnerable systems have not had the update.

But antivirus researchers are still unsure of the precise purpose of the malware, which is spreading via the internet, through unpatched corporate networks and through USB memory sticks attached to infected computers.

First discovered last October, downadup loads itself on to a computer by exploiting a weakness in Windows servers. Although the weakness was noticed and fixed by Microsoft last October, not enough people with vulnerable machines – including those running Windows XP and Vista – have installed it.

The worm can infect USB sticks and any corporate laptop that gets infected could then launch attacks if it was later connected to a home network.

The reason for the explosion in infected machines seems to be a new variant which appeared last week, updated by the hackers who wrote the original. The new one attempts to crack the passwords of machines on a network using the computing power of the infected machine to apply a "brute force" approach – so that passwords such as "admin", "password" or "123456" on potential target machines will quickly be broken.

Once it has infected a machine, the software also tries to connect to up to 250 different domains with random names every day. Researchers reckon that one of them will be the intended "control" domain, and that when the computers connect to it they will download a fresh program that will take over the infected computer.

"This makes it impossible and/or impractical for us good guys to shut them all down – most of them are never registered in the first place," the F-Secure team noted on its weblog. "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website – and they then gain access to all of the infected machines. Pretty clever."

So far, nobody knows when that domain will become active – or whether it already is. Some have tried registering the domains that the worm tries to connect to (by advancing the clock on an infected PC by a day or two, to see which ones it will connect to) – but gave up because the cost of registering domains grew too high.

McAfee, another antivirus company, points out that weaknesses in Windows are being exploited more and more quickly. In 2001, it took 335 days for a worm to appear that exploited a vulnerability already patched by Microsoft. That worm, called Nimda, nevertheless did serious damage.

Since then, the length of time between patches appearing – which hackers can use to "reverse engineer" a piece of malware that will attack the weakness – has shortened, until the latest patch appeared on the same day that an "exploit" against it was found online.

Continue Reading...

The 10 faces of computer malware

The complexity of today's IT environment makes it easy for computer malware to exist, even flourish. Being informed about what's out there is a good first step to avoid problems.

With all the different terms, definitions, and terminology, trying to figure out what's what when it comes to computer malware can be difficult.

To start things off, let's define some key terms that will be used throughout the article:

• Malware: malicious software that's specifically developed to infiltrate or cause damage to computer systems without the owners knowing or their permission.
• Malcode: malicious programming code that's introduced during the development stage of a software application and is commonly referred to as the malware's payload.
• Antimalware: includes any program that combats malware, whether it's real-time protection or detection and removal of existing malware. Antivirus, antispyware applications and malware scanners are examples of antimalware.

One important thing to remember about malware is that like its biological counterpart the number one goal is reproduction. Causing damage to a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Keeping the above definitions in mind, let's take a look at 10 different types of malware.

1: The infamous computer virus
A computer virus is malware that's capable of infecting a computer but has to rely on some other means to propagate. A true virus can only spread from the infected computer to a non-infected computer by attaching to some form of executable code that's passed between the two computers.

For example, a virus could be hidden in a PDF file attached to an e-mail message. Most viruses consist of the following three parts:

• Replicator: When the host program is activated, so is the virus and the viral malcode's first priority is to propagate.
• Concealer: The computer virus can employ one of several methods to hide from antimalware.
• Payload: The malcode payload of a virus can be purposed to do just about anything, from disabling computer functions to destroying data.

Some examples of computer viruses currently in the wild are W32.Sens.A, W32.Sality.AM, and W32.Dizan.F. Most quality antivirus software will remove computer viruses once the application has the signature file for the virus.

2: The ever popular computer worm
Computer worms are more sophisticated than viruses, being able to replicate without user intervention. If the malware uses networks (Internet) to propagate it's a worm rather than a virus.

The main components of a worm are:

• Penetration tool: Malcode that leverages vulnerabilities on the victim computer to gain access.

• Installer: The penetration tool gets the computer worm past the initial defense mechanism. At that point the installer takes over and transfers the main body of malcode to the victim.
• Discovery tool: Once settled in, the worm uses several different methods to discover other computers on the network, including e-mail addresses, Host lists, and DNS queries.
• Scanner: The worm uses a scanner to determine if any of the newly-found target computers are vulnerable to the exploits available in its penetration tool.
• Payload: Malcode that resides on each victim's computer. Could be anything from a remote access application to a key logger used to capture user names and passwords.

This category of malware is unfortunately the most prolific, starting with the Morris worm in 1988 and continuing today with the Conficker worm. Most computer worms can be removed by using malware scanners such as MBAM or GMER.

3: The unknown backdoor
Backdoors are similar to the remote access programs that many of us use all the time. They're considered malware when installed without permission, which is exactly what an attacker wants to do, by using the following methods:

• One installation method used is to exploit vulnerabilities on the target computer.
• Another approach is to trick the user into installing the backdoor through social engineering.

Once installed, back doors allow attackers complete remote control of the computer under attack. SubSeven, NetBus, Deep Throat, Back Orifice, and Bionet are backdoors that have gained notoriety. Malware scanners like MBAM and GMER are usually successful at removing backdoors.

4: The secretive Trojan horse
It's difficult to come up with a better definition for Trojan horse malware than Ed Skoudis and Lenny Zelter did in their book Malware: Fighting Malicious Code:

"A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality."

Trojan horse malware cloaks the destructive payload during installation and program execution, preventing antimalware from recognizing the malcode. Some of the concealment techniques include:

• Rename the malware to resemble files that are normally present.
• Corrupt installed antimalware to not respond when malware is located.
• Polymorphic code is used to alter the malware's signature faster than the defensive software can retrieve new signature files.

Vundo is a prime example; it creates pop up advertising for rogue antispyware programs, degrades system performance, and interferes with Web browsing. Typically, a malware scanner installed on a LiveCD is required to detect and remove it.

5: Adware/Spyware, more than an annoyance
Adware is software that creates pop-up advertisements without the user's permission. Typically the way adware gets installed is by being a component of free software. Besides being very irritating, adware can significantly decrease computer performance.

Spyware is software that collects information from your computer without your knowledge. Free software is notorious for having spyware as a payload, so reading the user agreement is very important. The Sony BMG CD copy protection scandal is probably the most notable example of spyware.

Most quality antispyware program will quickly find unwanted adware/spyware and remove it from the computer. It's also not a bad idea to regularly remove temp files, cookies, and browsing history from the Web browser program as preventative maintenance.

Malware stew
Up until now, all the malware discussed has distinctive characteristics, making each type easy to define. Unfortunately that's not the case with the next categories. Malware developers have figured out how to combine the best features from different types of malware in an attempt to improve their success ratio.

Rootkits are an example of this, integrating a Trojan horse and a backdoor into one package. When used in this combination, an attacker can gain access to a computer remotely and do so without raising any suspicion. Rootkits are one of the more important combined threats, so let's take a deeper look at them.

Rootkits: Uniquely different
Rootkits are in a class all their own, choosing to modify the existing operating system instead of adding software at the application level like most malware. That's significant, because it makes detection by antimalware that much more difficult.

There are several different types of rootkits, but three make up the vast majority of those seen in the wild. They are user-mode, kernel-mode, and firmware rootkits. User-mode and kernel-mode may need some explanation:

• User mode: Code has restricted access to software and hardware resources on the computer. Most of the code running on your computer will execute in user mode. Due to the restricted access, crashes in user mode are recoverable.
• Kernel mode: Code has unrestricted access to all software and hardware resources on the computer. Kernel mode is generally reserved for the most trusted functions of the operating system. Crashes in kernel mode aren't recoverable.

6: User-mode rootkits
It's now understood that user-mode rootkits run on a computer with the same privileges reserved for administrators. This means that:

• User-mode rootkits can alter processes, files, system drivers, network ports, and even system services.
• User-mode rootkits remain installed by copying required files to the computer's hard drive, automatically launching with every system boot.

Hacker Defender is one example of a user-mode rootkit and luckily Mark Russinovich's well-known application Rootkit Revealer is able to detect it as well as most other user-mode rootkits.

7: Kernel-mode rootkits
Since rootkits running in user-mode can be found and removed, rootkit designers changed their thinking and developed kernel-mode rootkits:

• Kernel-mode means the rootkit is installed at the same level as the operating system and rootkit detection software.
• This allows the rootkit to manipulate the operating system to a point where the operating system can no longer be trusted.

Instability is the one downfall of a kernel-mode rootkit, typically leading to unexplained crashes or blue screens. At that point, it might be a good idea to try GMER. It's one of a few trusted rootkit removal tools that has a chance against kernel-mode rootkits like Rustock.

8: Firmware rootkits
Firmware rootkits are the next step up in sophistication, with rootkit developers figuring out how to store rootkit malcode in firmware. The altered firmware could be anything from microprocessor code to PCI expansion card firmware.

This means that:

• When the computer is shut down the rootkit writes the current malcode to the specified firmware.
• Restart the computer and the rootkit reinstalls itself.

Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

9: Malicious mobile code
In relative anonymity, malicious mobile code is fast becoming the most effective way to get malware installed on a computer. First, let's define mobile code as software that's:

• Obtained from remote servers.
• Transferred across a network.
• Downloaded and executed on a local system.

Examples of mobile code include JavaScript, VBScript, ActiveX controls, and Flash animations. The primary idea behind mobile code is active content, which is easy to recognize. It's the dynamic page content that makes Web browsing an interactive experience.

What makes mobile code malicious? Installing it without the owner's permission or misleading the user as to what the software does. To make matters worse, it's usually the first step of a combined attack, similar to the penetration tool used by trojan horse malware. After which the attacker can install additional malware.

The best way to combat malicious mobile code is to make sure that the operating system and all ancillary software is up to date.

10: Blended threat
Malware is considered a blended threat when it seeks to maximize damage and propagate efficiently by combining several pieces of single-intentioned malcode. That said, blended threats deserve special mention as security experts grudgingly admit they're the best at what they do.

A blended threat typically includes the following abilities:

• Exploit several known vulnerabilities or even create vulnerabilities.
• Incorporate alternate methods for replicating.
• Automate code execution, which eliminates user interaction.

Blended threat malware for example may send an HTML e-mail message containing an embedded Trojan horse along with a PDF attachment containing a different type of Trojan horse. Some of the more famous blended threats are Nimda, CodeRed, and Bugbear. Removing blended threat malware from a computer may take several different pieces of antimalware as well as using malware scanners installed on a LiveCD.

Final thoughts
Malware: is it even possible to reduce the harmful effect it causes? Here are a few final thoughts on that subject:

• Malware isn't going away any time soon. Especially when it became evident that money, lots of money can be made from its use.
• Since all antimalware applications are reactionary, they are destined to fail.
• Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
• Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment in.
• It cannot be stressed enough, please make sure to keep operating system and application software up to date

Continue Reading...

Scam Antivirus App Spreads Malware

Web users have been warned about a new scam that posts fake product reviews in a bid to encourage people to buy a rogue security application called Anti-virus-1.

The app is one of a number of bogus security products which promise to provide protection against the latest online threats, but instead have been designed to spread malware or hold users' PCs to ransom.

But if you use the internet to research Anti-virus-1, it's possible you'll find a number of glowing reviews, because the tool is posting fake articles online which appear to be endorsed by a number of the web's top tech sites - including PC Advisor.

In reality, the likelihood of you coming across a Anti-virus-1 review is slim. According to Lawrence Abrams, owner of technology site BleepingComputer.com, fake reviews will only be seen by those who install the rogue security app.

He said that when he installed Anti-virus-1 - which also goes by the name Antivirus2010 - it added a series of entries into the Windows hosts file which direct users to what appear to be the websites of a number of UK and US tech sites.

"By adding these entries into your HOSTS file, it will make it so that if you go to any of the websites listed, instead of going to the legitimate site, you will instead be redirected to a site under the control of the developers of Anti-virus-1 and not realise you are doing so," said Abrams on his site.

That means those with Anti-virus-1 running on their PC may be directed to bogus reviews such as the one in the screenshot below.

The software has never been tested by PC Advisor, and the fake review is not hosted on the PC Advisor site. Other sites apparently targeted by the scam include PC Magazine and TechRadar.

Abrams warned that, once installed, Anti-virus-1 also issues fake security alerts, screen savers showing a blue screen crash caused by spyware and Internet Explorer hijacks. He's provided tips on how to remove Anti-virus-1/Antivirus 2010 on his website - although we've yet to test the procedure.

Continue Reading...