Monday, November 17, 2008

Antivirus 2009 Protection Scam pro-scan-online

Antivirus 2009 Protection Scam




I was on my work machine and I received this pop up warning me about spyware. This kind of shocked me because the sites I visit at work are few and are work related. Not the type of sites that usualy have this type of advertising. Now that I think about it, I may know the site. If I am right, its a 3rd party add doing it so any site you trust could be doing it.



I run several monitors and could see a session of IE running as small as it possibly could off to the right. A place that would be off screen for most people. Once I closed the pop up message, I saw it open a full window page that did a fake scan of my system. It indicated that several errors were found and even gave the names of a few viruses. As an IT security professional, I know how to keep my system clean and knew the report that it gave me was staged and false.







Clicking anywhere within the window (like the fake red X or cancel button) started downloading a file. On older web browsers it prabably would have just ran the program, but my version of IE gave me the option. You can either save it or run it. I pray that none of you ran it. Don't even save it. Your best bet is to close IE and end your session. Then log off or reboot.

I did not get infected by it, but I can easily see how the average person would. I work in IT and have a good eye for stuff like this. I also know the average user and this prays on them. I also know several people that have gotten trapped by this. I included some screen shots from the site and a few links where people were talking about it.

The URL for me was pro-scan-online.com but with a scam like this, I expect them to have lots of different sites set up. The file name was A9installertest_77024202.exe.


Here are some other people running into this same thing:

http://forums.vnunet.com/thread.jspa?threadID=146114

http://forum.joomla.org/viewtopic.php?f=267&p=1484262

http://loscompanion.com/forums/index.php?topic=5473.0

From reading a bit, its called the A9 Installer virus. I think its more crapware than a virus, either way avoid it.