Fake AV operators continue to change the graphic interface design on their malicious creations.
Clones we’ve seen recently include “XP Antispyware Pro 2013,” “XP Defender 2013,” “XP Security 2013” and “XP Antivirus Pro 2013.”
Download pages are detected by at least three AVG LinkScanner signatures.
Since this is the time of year that legitimate AV companies are unveiling their 2013 versions, the fake AV operators (as in past years) are following suit.
No one expects these things to make sense, but the initial pop-up window uses the name “WindowsSecurity 2012.”
AVG LinkScanner detects the rogue (with three signatures) at this point. Closing the browser without clicking the “OK,” prevents the executable files from being installed.
Clicking the “OK” button starts the first of two fake scans.
Closing the browser at this point also prevents installation of the rogue executable. Clicking the “Remove all” button however, installs an executable file (periodically the files change in size, probably to inhibit AV scanner detection) and presents the following screen.
The “File Download” box is bogus, since the file has already been installed on the victim’s machine.
After the scan finishes, a “Secure Transaction Processing” window appears (also of new design) and leads to a payment screen (below).
Closing the browser after the rogue is installed will NOT make it go away.
The malware then stops all practical use of the infected machine by throwing up a nag screen whenever a browser or other application is opened. Below is a screen shot of a phony “XP Security 2013 Firewall Alert” when the tester attempted to open the Windows calculator application.
To make the phony threat a bit more credible, the rogues also pop up warnings from the Windows tray: