Microsoft warns of fake "Security Essentials 2010" anti-virus software

Microsoft is warning users about a fake anti virus product named "Security Essentials 2010", near identical to the naming of the company's own protection software.

The fake software is actually the trojan Win32/Fakeinit. If a user installs the software then Fakeinit’s downloader installs a fake scanner component that monitors other processes and attempts to terminate them. In some cases, processes will be flagged as if they are infected. The trojan also lowers a number of security settings in the registry and changes the desktop background to an unchangeable multicoloured warning:

"Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long," said David Woods at Microsoft Security.

Microsoft confirmed its own genuine Security Essentials software removes the trojan. Security Essentials is designed to work on Windows XP, Vista and 7 and protects end users against virus threats and spy ware. MSE is Microsoft's free anti-virus and anti-spyware product that is set to replace Microsoft's paid Windows Live OneCare subscription service which was withdrawn earlier this year. Neowin exclusively revealed Security Essentials in June when it was codenamed "Morro".

The fake Security Essentials 2010 also prompts end users to activate and pay for a "full version". Microsoft's own Security Essentials is available free for download:

Download: Windows XP (32 bit)
Download: Windows Vista & Windows 7 (32 bit)
Download: Windows Vista & Windows 7 (64 bit)

Thanks to Shayla for the news tip

Report a problem with article
Previous Story

Nintendo DSi XL hits stores on March 28th

Next Story

Revealed: How schools use laptop webcams to spy on students [Video]

54 Comments

Commenting is disabled on this article.

We can help fight this by posting a security alert in our facebook/twitter profiles (or whatever place you connect with your friends).

I had this same exact copy a few weeks ago.

It's different than the other variations. Safe mode wouldn't work. I forget what I did. (got it late at night, didn't go to lseep until I got rid of it, heh) but it was a pain.

This is not new...news. This pop-up anti-virus thing been happening since last 2 years. We in Asia region, are use to seeing it so often.

Also if you're infected, you don't actually need to format your PC. Just go to Safe Mode with Command Prompt, and find the virus file, and delete it, also remove the folder. Reset the PC. Voila...no more virus. If you use IE go to it's properties, and disable the virus news & updates.

I almost got this, a rogue ad popped this up when I was browsing a site. I terminated my browser immediately and ran a full scan to be sure I didn't get infected. It's important that I keep my PC clean considering I run a website and getting infected would allow hackers access.

I also think UAC on Windows 7 might of had a small part to play and I was able to avoid infection. I make sure I enable adblock on any new sites I decide to browse or any sites I don't explicitly trust from now on.

If you click on the "Win32/Fakeinit" link, you'll see a list of sites that the trojan blocks. Some of the sites are popular like facebook.com and washingtonpost.com. The others, though, aren't so popular (if you catch my drift).

I've been trying to get infected by these types of programs to see how a user might get them. Maybe I'm looking on the wrong places.

my sister ALMOST got infected, she called me before it completed, i had her replicate what she did.
<varies with site>
she went to facebook<application settings<Were related, it came in on a add/center control <- doesnt do it anymore that i have tested
<end variable>

pops up with a pop-up that looks like XP My computer ( i have gotten same popup on iPod Touch, OSX, Ubuntu 9.10, and it always looks like the Windows XP "My Computer" or a pop up that says " Your Infected do you want to run a scan now ".

if you click anything, it will activate, the ONLY way to not get hit is by Alt+F4 till the desktop ( will have to do multiple times ) then restart and run Malwarebytes/MSE ) literally you click almost anything else, it will activate and hit you

pyehac said,
I've been trying to get infected by these types of programs to see how a user might get them. Maybe I'm looking on the wrong places.

Edited by Hell-In-A-Handbasket, Feb 26 2010, 8:45pm : Clarification that the facebook entry routine no longer works

Too bad the web's full of fake antivirus products.

There's a good list on the web that's full of these things: http://www.spywarewarrior.com/rogue_anti-spyware.htm

1) It says MS Security Essentials removes it, but does it prevent/block it?
2) Does MalwareBytes remove it/block it (if using paid version)?

mados123 said,
1) It says MS Security Essentials removes it, but does it prevent/block it?
2) Does MalwareBytes remove it/block it (if using paid version)?
Yes, yes.

If not, then probably new build, so please submit it:

http://forums.malwarebytes.org/index.php?showforum=44

Edited by war, Feb 26 2010, 8:52pm :

war said,
Yes, yes.
If not, then probably new build, so please submit it:
http://forums.malwarebytes.org/index.php?showforum=44

How could the answer be yes, yes then if not? :-)
I will check out the link, thanks!

there are different renditions and versions of the malware itself.
origional infection is actually over 3 years old, not recent, the 2010 label has been out since early-mid last year, the date numbers change about the same time Nortons do if not close

mados123 said,

How could the answer be yes, yes then if not? :-)
I will check out the link, thanks!

I hate saying this, but why not link to the actual page and not an executable directly? It would be more beneficial that people know it's http://www.microsoft.com/security_essentials/ than a link on this page, just for security's sake

ObiWanToby said,
Malware is dumb.
I bet they "earn" what you "earn" each year in a month or less. So how dumb? ;)

Edited by war, Feb 26 2010, 8:31pm :

I'd have to agree with David Woods, I'm surprised this did take so long. Considering that this is a free anti-virus aimed at the "novice" computer users, it's a perfect opportunity for an exploit.

Of course, it is sad that these people are taking advantage of this situation as well.

I've had to deal with this for a couple months at work. Old news unfortunately. But just to clarify, this is not the result of people being tricked into installing the wrong AV software, it's the result of someone downloading (accidentally or on purpose) something else that installs this.

astrokat said,
I've had to deal with this for a couple months at work. Old news unfortunately. But just to clarify, this is not the result of people being tricked into installing the wrong AV software, it's the result of someone downloading (accidentally or on purpose) something else that installs this.
Or using fake tool-bars and fake search engines and then drive buy downloads.

Almost every PC I worked on that has this infection the owner installed some sort of tool-bar. Typical in my experience!

Edited by war, Feb 26 2010, 7:46pm :

MSE removes this but I have yet to see it detect installation of this.
More commonly, a similar trojan named "Antivir" (Nothing to do with Avira Antivir) has been getting installed recently.

Apparently MS Security Essentials has become quite the popular program. I use it and it's been great so far, too bad popularity gets you this in the software world.

Ricksterm said,
Looks like they made good use of Microsoft paint for the wallpaper there!
Yeah those cheap *******. Perhaps you should ask for your money back. ;)

Unfortunately, the people reading this site aren't the sort of people that will have problems with this kind of thing. It's the uneducated PC users that need this kind of information.

what said,
Unfortunately, the people reading this site aren't the sort of people that will have problems with this kind of thing. It's the uneducated PC users that need this kind of information.

Who is to say there isn't uneducated PC people around? They might even stumble upon Newoin just by a google search on a specific subject.

Eddo89 said,

Who is to say there isn't uneducated PC people around? They might even stumble upon Newoin just by a google search on a specific subject.


Exactly. Just read any of dannyd's threads in the forum.

what said,
Unfortunately, the people reading this site aren't the sort of people that will have problems with this kind of thing. It's the uneducated PC users that need this kind of information.

As IT professionals & enthusiasts it is part of our responsibility to keep somewhat abreast of new and emerging security threats to help out those less knowledgeable in the field. At least that is my perspective.

Eddo89 said,

Who is to say there isn't uneducated PC people around? They might even stumble upon Newoin just by a google search on a specific subject.

I'd think the ratio of geeks to technophobes is pretty high...

As IT professionals & enthusiasts it is part of our responsibility to keep somewhat abreast of new and emerging security threats to help out those less knowledgeable in the field. At least that is my perspective.

Of course, I'm not denying that, but it's just that news like this more often than not stays on the internet, on the tech blogs and such, which the average joe is not going to be keeping a daily check on.

what said,
Unfortunately, the people reading this site aren't the sort of people that will have problems with this kind of thing. It's the uneducated PC users that need this kind of information.
There are enough of these uneducated users leaving comments on this article. So maybe not? ;)

mikefarinha said,

As IT professionals & enthusiasts it is part of our responsibility to keep somewhat abreast of new and emerging security threats to help out those less knowledgeable in the field. At least that is my perspective.

I could not agree more, I think people should be aware of high risk security issues like in this article. But when you have somebody who knows nothing outside Facebook and Twitter. How can you educate somebody who will not listen. Fact, there are around 38% of end users in the UK who do not have any form of Internet security. This is my estimation, probably higher but still I know of people who browse everyday without IS or AV installed on their system. Although, when you get something like this which, I must admit looks pretty convincing to say the least. People regardless of estuteness would think this was real. It is just people are not aware of the dangers, it is nothing to do with their ability and/or education, it is our way of life, if you believe something is real then you will without any thought will click on the link. It is like telling people do not touch the wet paint...? What do we do...? Touch the paint.

tensegrity said,
Are the download links to the fake or real antivirii software, they aren't labeller so it's hard to tell?

Look more closely at the last part of the last paragraph which says the following "Microsoft's own Security Essentials is available free for download" and the download links point to microsoft.com so yes they are genuine links to the real MSE product.

Edited by StevenNT, Feb 26 2010, 9:11am :

tensegrity said,
Are the download links to the fake or real antivirii software, they aren't labeller so it's hard to tell?

We wouldn't post the link to the malware. :)

tensegrity said,
Are the download links to the fake or real antivirii software, they aren't labeller so it's hard to tell?
Simply move your mouse over the link and look in the status bar and it shows you they are links to microsoft.com .

So you just blindly click on links do you? So typical!

Edited by war, Feb 26 2010, 7:30pm :

Must be a slow day at neowin. These things are never surprising. I'll bet it was created by the same people who did antivirus xp and vista antivirus.

Slow day or not; this is good information for those who may just mistake the Security Essentials 2010 for Microsoft Security Essentials. This is the type of information that Neowin needs to be putting out to those are not as computer intelligent as you may be.

Thank You Neowin for this important information.

freeeekyyy said,
Must be a slow day at neowin. These things are never surprising. I'll bet it was created by the same people who did antivirus xp and vista antivirus.

Just becuase this is common practice doesn't mean it's a slow news day. I use MSE, but others who are less IT literate might just assume it's the same thing.
I found this an interesting read, not that it enlightened me about the practice of the malicious IT people out there, as I know that it happens.

I second the thank you to Neowin.

Edited by yeoo_andy_ni, Feb 26 2010, 8:17am :

freeeekyyy said,
Must be a slow day at neowin. These things are never surprising. I'll bet it was created by the same people who did antivirus xp and vista antivirus.

Actually I am still surprised how many people fall for this after all the guides, news and information they get to avoid this.

You have no idea how many laptops we clean at work from this mess.

Beastage said,

Actually I am still surprised how many people fall for this after all the guides, news and information they get to avoid this.

You have no idea how many laptops we clean at work from this mess.

Yea dude, not everyone reads the IT section of the newspaper, there are many more important things to worry about. Besides, technology reports in everyday papers is just horrendous, basically a bunch of Apple iPhone reports and how they've revolutionized the market, not surprised that many get hoodwinked by this.

Beastage said,

Actually I am still surprised how many people fall for this after all the guides, news and information they get to avoid this.

You have no idea how many laptops we clean at work from this mess.

Not surprising to me at all. Your typical user is a complete idiot. Your typical user is not smart enough to know he/she should be downloading Security Essentials directly from microsoft.com.

They instead use a crappy search engines, via a toolbar he/she installed to find anti-virus. But of course the search results are filled with spyware pages. After all the idiot installed the toolbar.

Edited by war, Feb 26 2010, 7:14pm :

Beastage said,

Actually I am still surprised how many people fall for this after all the guides, news and information they get to avoid this.

You have no idea how many laptops we clean at work from this mess.


But when dumb people do illegal downloading and they open what they downloaded, they would most likely get infected. I believe half of this so called "Scareware" comes from downloading illegal/pirated stuff.

jesseinsf said,

I believe half of this so called "Scareware" comes from downloading illegal/pirated stuff.

Do you have sources to substantiate your opinion? You do realize that you're calling a criminal anyone who ends up with malware. That's a very ignorant view.

jesseinsf said,
I believe half of this so called "Scareware" comes from downloading illegal/pirated stuff.

I agree with Cat Fluid, that's not a very educated statement. From my experience in my repair shop, when people bring a PC with these fake AV, it's almost all the time from free porn site. Some will warn me right up front, but I can always find evidence in the explorer cache.