Identifying and Avoiding Fake Anti-Virus Programs

Mark Berry December 21, 2010

One of the biggest threats to your computer comes when you land on a web site containing a fake anti-virus warning. These sites try to trick you into installing a program that is actually a virus. Sometimes these programs will encrypt files on your system, then charge you money to unlock them. But what does a fake anti-virus site look like, and what should you do? Here’s an example.

Here is an example of a bogus anti-virus web page:


How to Tell

It’s confusing because what the virus authors have done is to create a web page that looks like a Windows XP Control Panel display, with the blue background on the left, folders on the right, and so on. But this page is not from Windows! It’s just a web page, and it wants to hurt your computer. How to tell?

Internet Explorer Warning

If you look at the header, you can see that just landing on this page has caused it to try to start downloading a file. Fortunately, Internet Explorer 8 is giving you a warning before starting the download:


Warning:  What is not obvious is that clicking anywhere on the page will probably start to download a virus. The whole page it a giant button. Don’t click on the page!

Does This Make Sense?

When you land on a page like this, ask yourself some questions before continuing:

1. Does this look like a legitimate warning from the anti-virus program that I’m using? If you’re using Trend, VIPRE, Norton, etc., the name of that program should appear in any warnings from that program.  (Careful:  even if the name does appear, it could still be fake.)

2. Does this look like a legitimate warning from my operating system? In this case, the user was running Windows 7 when this Windows XP-like screen came up. (Even Windows XP would never display anything exactly like this.) In fact, just the fact that they have tried to simulate a Windows page inside a browser window is a big red flag:  legitimate warnings from the operating system will never appear inside a browser.

3. Did I intentionally navigate to this web address? If you’re looking for pictures on Google Images, and you wind up on a “safeonly-scanner” web site in India (.in), you’re probably not where you meant to be. You can look up the last part of a web address at Wikipedia’s list of top-level domains to see which country you’re visiting.


What to Do

The safest thing to do at this point would be to log off of Windows or just shut down your computer. (The truly paranoid will just unplug the power.) If you have open documents (Word, Outlook, etc.), you can carefully save and close them, but do not try to close Internet Explorer.

Why not? If you close Internet Explorer by clicking on the red X in the upper right corner of the browser window, you may see a screen like this:


The problem is that most likely, this popup window is also from the fake anti-virus page. So if you click on it (whether you click on OK or Cancel), you’ll start the virus download. It’s best to just get out of Windows without touching Internet Explorer.

Finally, after you log back on to the computer, run a full anti-virus scan just to make sure the computer didn’t get infected. Since no anti-virus program catches all viruses, consider running a program in addition to the one you have installed on your computer. MalwareBytes and Sunbelt Software’s VIPRE Rescue are good, free choices.

Leave a Reply