A new scareware package tries to sell bogus antivirus software to its victims using an apparent endorsement of the software by Microsoft.
A variant of the infection that urges users to buy DefenceLab antivirus software now also directs them to a Microsoft support page where a display describes a new threat and recommends using DefenceLab antivirus to clear it and protect against it.
It's a real Microsoft support site, but it's the malware already running on users' infected computers that injects the threat warning and the endorsement of the antivirus software, according to a blog by Matt Kelchner, a researcher at Sunbelt Software.
The scam is intended to prod users into clicking a "Fix It" button that leads them to a site where they can buy the antivirus software.
This twist is an extension of an ongoing scareware epidemic. Malicious software is downloaded to victims' machines and pops up warnings that the computer has been scanned and found to be infected. It then pops up windows urging them to buy antivirus software that can get rid of the problem.
The problem reportedly does go away, but experts say that doesn't mean the virus that created it is removed and won't cause more problems later.
Similar Trojans have been around for years and are among the "cash cows" identified by Cisco in its annual report on cybercrime. Other variants of these Trojans have encrypted files on victims' computers and basically held them for ransom. If users want to decrypt them, they have to fork over $40 to buy antimalware forced on them by the malware.
The criminals behind the malware also poison Google search results so when victims search for ways to remove the malware, sites for buying the bogus antivirus software come up first.