Fake Windows “Antivirus” Code Infected 1 Million Computers

As of November, the Malicious Software Removal Tool also added Win32/FakeSecSen to the limited list of malicious code it is designed to hunt down. Since introduction into the MSRT, the rogue antivirus was removed from no less than 994,061 computers, according to Microsoft. The Redmond company estimates that for every 1,000 machines scanned in the U.S. alone, seven days ahead of November 19, approximately five had been infected with Win32/FakeSecSen.

“There is no surprise about the prevalence of these rogues given our earlier telemetry analysis on other Microsoft AV products and tools. For comparison, the #1 family last month was Renos with 389,036 distinct machines cleaned in the first week and 655,535 machines for the whole month. And the most significant result for MSRT this year was the June release when we added eight game password stealer families, was Win32/Taterf with 1,246,792 machines cleaned by week 1 and 1,536,831 machines for the whole month,” explained Microsoft's Scott Wu, Scott Molenkamp and Hamish O’Dea.

Statistics provided by Microsoft pointed out that just 198,812 of the instances in which Win32/FakeSecSen had been removed actually contained an .EXE file. According to the company, this is illustrative of the fact that the rogue security software's executables had been removed manually or via legitimate antivirus products, while the incomplete Win32/FakeSecSen files could represent failed installations.

The software giant claims that there is a connection between the Renos family of malicious code and Win32/FakeSecSen. This because malware such as TrojanDownloader:Win32/Renos.Y, TrojanDownloader:Win32/Renos.AY, TrojanDownloader:Win32/Renos.EK will also download Win32/FakeSecSen on infected machines. In this context, another scenario for the delivery of Win32/FakeSecSen involves the rogue security software ending up on a machine already infected by malware.