Security researchers at CA Inc. have discovered a malicious program that poses as a Windows Security Center. Once installed by a Trojan, the program informs the user of non-existent infections, the researchers said.
Writing in CA's Security Advisor Research Blog, Benjamin Googins, senior engineer at CA, said the infection alters registry settings and can control critical system settings, including proxy settings.
Googins said the malicious file is called seccenter.exe. The program launches the fake security center and immediately begins to goad the user into downloading Windefender 2008, a fake spyware removal tool. The program also limits the user's Internet connection, making it impossible to load legitimate websites. It then requests the user to pay $40 for the spyware program.
"By limiting the user's Internet connection to primarily downloading WinDefender 2008 the user cannot download a legitimate anti-malware product to remove the infection," Googins said.
The only difference between the fake Windows Security Center and the actual security center provided by Microsoft is a tiny icon and a message warning that "WindowsDefender is inactive."
"Without extensive knowledge of the Windows system, this very convincing fake could throw most PC users," Googins said.
It's the second time this week that Microsoft was targeted with phony programs posing as legitimate security updates. Microsoft warned earlier this week of a fake notification email message that looks almost exactly like legitimate messages Microsoft sends to its customers. The message tried to take advantage of Microsoft's monthly release of security updates.
Instead a Trojan called Backdoor.Haxdoor is attached to the email and if installed it could allow an attacker to access information on a victim's computer. The email claims the executable file is Microsoft's latest security update.
Writing in the Microsoft Security Response Center blog, Christopher Budd, security program manager in the Microsoft Security Response Center, said the email "claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it."
"First and foremost, we never, ever, ever send attachments with our security notification e-mails," Budd said. "And, as a matter of company policy, Microsoft will never send you an executable attachment. If you get an e-mail that claims to be a security notification with an attachment, delete it. It is always a spoof."