Mal/FakeAV-PY

Posted: February 10, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	50

First Seen:	February 10, 2012
OS(es) Affected:	Windows

Mal/FakeAV-PY is a proactive detection label for attempted installations of Windows Secure Kit 2011 or other members of the Rogue:Win32/Winwebsec family of scamware. Although fake security programs from the Winwebsec family have been in distribution for some time, Mal/FakeAV-PY has acquired attention due to being used as part of a recent rise in blackhat SEO redirects that redirect your web browser from a search engine's results to an unrelated website that markets Windows Secure Kit 2011 and similar types of fake software. Competent and up-to-date anti-malware products may be able to detect and block Mal/FakeAV-PY prior to its installation, but should this fail, SpywareRemove.com malware researchers warn that you should be prepared for fake PC threat alerts, inaccurate warning messages, fraudulent scans and other symptoms that are standard for rogue security products from the same family.

Mal/FakeAV-PY – Just the Last Step in an Intricate Dance of Browser Attacks

Winwebsec-based scamware products have been in circulation for over two years, and although new versions of these fake security products have been given fresh names, their functions are fundamentally identical to those of their predecessors. Mal/FakeAV-PY is the final step in an online attack that uses blackhat search engine optimization, redirects and misleading promotional content to install a fake security application onto your PC. These Mal/FakeAV-PY attacks have been noted to focus on installing Windows Secure Kit 2011, but other types of Winwebsec scamware, such as Security Sphere 2012, Security Shield Pro, Essential Cleaner, Total Security or Antivirus 2008 may also be installed in a similar fashion.

Typical attacks that involve Mal/FakeAV-PY follow in this fashion:

During an online search with a popular search engine, a malicious website that's used for redirect attacks is inserted into your results despite its irrelevancy to your search terms. Anti-malware software may be able to detect this page by Mal/SEORed-A or other aliases, and web browser security settings may be able to avoid the consequential redirect attack.
Redirect attacks by Mal/SEORed-A will force your web browser to load a second site that promotes rogue security products from the Winwebsec family. These sites may also be identified by their own threat label, such as Mal/FakeAvJs-A.
Lastly, Mal/FakeAvJs-A will attempt to install Mal/FakeAV-PY onto your PC, either by using misleading alerts or by using drive-by-download attacks that force the installation to occur without your permission.

SpywareRemove.com malware research team notes that the result of all this is simply to encourage you to buy Mal/FakeAV-PY's product, which is promoted by an endless series of inaccurate pop-ups, system scans and other forms of fake system analysis. However, since Rogue:Win32/Winwebsec products like Mal/FakeAV-PY aren't capable of detecting or deleting real PC threats or other problems with your computer, you should never buy scamware that's promoted by in a Mal/FakeAV-PY attack.

Teaching Mal/FakeAV-PY a Lesson in Real PC Security

Encryption techniques and related characteristics of Mal/FakeAV-PY attacks have been known to use very recent exploits, and SpywareRemove.com malware experts note the urgency of keeping your security software and browser updated to minimize any security flaws that Mal/FakeAV-PY could use for its installation. Disabling common methods of redirect attacks, such as Flash or JavaScript, may also be able to stop Mal/FakeAV-PY attacks by preventing the initial redirects, and, of course, it's always recommended for you to be cautious around unusual links in your online searches.

If you need to delete Mal/FakeAV-PY or a related PC threat, you should be prepared to use competent anti-malware programs, since manual removal is typically ineffectual against Winwebsec-based rogue security programs and equally-sophisticated forms of malicious software. Although Mal/FakeAV-PY may create security issues by attempting to disable your real security software, using common anti-malware strategies to disable Mal/FakeAV-PY will allow you to remove Mal/FakeAV-PY appropriately and regain full safety for your PC.

Aliases

Suspicious file [Panda]Mal/FakeAV-PY [Sophos]TR/Crypt.ZPACK.Gen [AntiVir]Trojan [K7AntiVirus]Artemis!9E8510765E97 [McAfee]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SystemDrive%\Documents and Settings\Dr. Shah\Local Settings\Application Data\xmxmrxh.exe

File name: xmxmrxh.exe
Size: 310.78 KB (310784 bytes)
MD5: 9e8510765e974a0042471f4ab1961ec7
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Documents and Settings\Dr. Shah\Local Settings\Application Data
Group: Malware file
Last Updated: May 21, 2012