The fake scan has been causing panic in one of two ways among those who don’t understand exactly what’s happening:
- Some people believe this is a real scan and panic, thinking that their computer is infected with multiple viruses (and might end up clicking on the provided link to install antivirus software).
- Others immediately recognize this as a fake but worry that a virus is being loaded onto their computer anyway.
You are then redirected to a page with the title “Fast Windows Antivirus 2011” which features a fake Windows Explorer window, and a fake progress bar counts its way from 0 to 100%. Along the way, multiple “viruses” appear in the progress window.
The end result is that no harm will come to your computer unless you install that executable file, which you must be prompted to do. As long as you don’t authorize that installation, your computer is uninfected. However, it’s a serious nuisance. I decided to take a closer look at the source code to figure out what’s happening here.
The initial popup does this:
alert('Windows Security has found critical process activity on your PC and will perform fast scan of system files');
It resizes your browser window to 0 by 0 pixels and triggers a standard alert with the above text. Your only choice is to click OK, but there is no consequence; it just allows the browser to proceed. At this point, whether immediately or hours later, you can navigate away from the page without damage being done to your computer.
Why is this happening?
The group that is behind this most likely has a web crawler which checks Google Image Search for popular pictures, archives them, and then repeats them over several domains (the most common one I’ve seen is ichthus.org) so that your search results are clogged with dozens of these images that send you to the fake virus scan page.
What can you do?
The very first thing you can do is navigate away from this page, but the most important thing you should do is avoid installing that executable file.
However, there’s more; you can block this website altogether so that attempts to load this page will show a browser error, like this:
This way your browser won’t be resized, you won’t have to deal with the redirects taking you back to the page, viruses trying to install, etc. You do so by adding a line to the hosts file on your computer. Here’s how it’s done:
- With Notepad, open the hosts file found here: C:\windows\system32\drivers\etc\hosts
- Move the cursor to the bottom line and enter this text:
- Now save the file.
In Mac OS X:
- Open the Terminal (found in the Applications/Utilities folder)
- Type sudo nano /private/etc/hosts
- Move the cursor down to the bottom line and enter this text:
- Now hit CTRL+X and press Y to save the changes.
Both methods perform the same action in different operating systems. Now when your computer tries to load avar-antivirus.cz.cc, it’ll send your browser to 127.0.0.1 which is a local IP address with nothing attached to it. Instead of sending you to the fake virus scan, you’ll just get the harmless error.
This method is a temporary fix; most likely this group will begin redirecting you to other domains. When this happens, you can use this same method to block that URL as well. Hopefully soon something more permanent will be done about this issue. Follow @torqtorq