The fake scan has been causing panic in one of two ways among those who don’t understand exactly what’s happening:
- Some people believe this is a real scan and panic, thinking that their computer is infected with multiple viruses (and might end up clicking on the provided link to install antivirus software).
- Others immediately recognize this as a fake but worry that a virus is being loaded onto their computer anyway.
All other tabs in that browser window are disabled; your choices are to minimize/maximize the browser window or click OK. Clicking OK here is safe, as we will discuss later.
You are then redirected to a page with the title “Fast Windows Antivirus 2011” which features a fake Windows Explorer window, and a fake progress bar counts its way from 0 to 100%. Along the way, multiple “viruses” appear in the progress window.
When it’s done, the webpage prompts you with a fake Windows Security Alert that features two actions: Remove all and Cancel. Clicking either will prompt you to download an executable file which is a virus.
At this point you should either navigate back by three or more pages or close the browser tab. Doing so will trigger yet another alert which looks like this:
In this case, clicking OK is also safe.
The end result is that no harm will come to your computer unless you install that executable file, which you must be prompted to do. As long as you don’t authorize that installation, your computer is uninfected. However, it’s a serious nuisance. I decided to take a closer look at the source code to figure out what’s happening here.
The initial popup does this:
window.resizeTo(0,0);
window.moveTo(width1,height1);
alert('Windows Security has found critical process activity on your PC and will perform fast scan of system files');
It resizes your browser window to 0 by 0 pixels and triggers a standard alert with the above text. Your only choice is to click OK, but there is no consequence; it just allows the browser to proceed. At this point, whether immediately or hours later, you can navigate away from the page without damage being done to your computer.
Why is this happening?
The group that is behind this most likely has a web crawler which checks Google Image Search for popular pictures, archives them, and then repeats them over several domains (the most common one I’ve seen is ichthus.org) so that your search results are clogged with dozens of these images that send you to the fake virus scan page.
What can you do?
The very first thing you can do is navigate away from this page, but the most important thing you should do is avoid installing that executable file.
However, there’s more; you can block this website altogether so that attempts to load this page will show a browser error, like this:
This way your browser won’t be resized, you won’t have to deal with the redirects taking you back to the page, viruses trying to install, etc. You do so by adding a line to the hosts file on your computer. Here’s how it’s done:
In Windows:
- With Notepad, open the hosts file found here: C:\windows\system32\drivers\etc\hosts
- Move the cursor to the bottom line and enter this text:
- Now save the file.
In Mac OS X:
- Open the Terminal (found in the Applications/Utilities folder)
- Type sudo nano /private/etc/hosts
- Move the cursor down to the bottom line and enter this text:
- Now hit CTRL+X and press Y to save the changes.
Both methods perform the same action in different operating systems. Now when your computer tries to load avar-antivirus.cz.cc, it’ll send your browser to 127.0.0.1 which is a local IP address with nothing attached to it. Instead of sending you to the fake virus scan, you’ll just get the harmless error.
This method is a temporary fix; most likely this group will begin redirecting you to other domains. When this happens, you can use this same method to block that URL as well. Hopefully soon something more permanent will be done about this issue. Follow @torqtorq
Thank you very much for posting this.
ReplyDeleteFinally! Thank you so much, I was losing my mind with this horrible site...
ReplyDeleteNice blog. Thanks for sharing the information.
ReplyDeletePerfect!!! What I can say is this article is very important to be written as it may help everybody to get awareness. Good job done.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteMy brother has this problem. I am glad I found this. I will try it tonight.
ReplyDeletethanks... really helpful reading :)
ReplyDeleteThe postings on your site are always excellent. Thanks for the great share and keep up this great work!
ReplyDeleteRead Best Antivirus for windows 10 and 7
.
Such an ideal piece of blog. It’s quite interesting to read content like this. I appreciate your efforts.
ReplyDeleteKeep it up!!!
Read Are spyware and malware the same thing.
Thanks for Sharing your experience with Us...!
ReplyDeleteInteresting and beautiful blog lovely presentation thanks for sharing your views.
Read difference between antivirus and anti-malware.
Professionally written blogs are rare to find, however I appreciate all the points mentioned here. I also want to include some other writing skills which everyone must aware of.
ReplyDeleteโปรแกรม ไวรัส ฟรี
https://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html?showComment=1539838088497#c5180997984252213801I welcome all the suggestion mentioned in this blog related to new learning skills. It is definitely going to help me to adopt new exited way of learning. I think, others will also feel helpful this blog for their needs.
ReplyDeleteSometime few educational blogs become very helpful while getting relevant and new information related to your targeted area. As I found this blog and appreciate the information delivered to my database.
แอนตี้ ไวรัส
It’s such nice blog with good content thanks for sharing with us.
ReplyDeleteGet how to place the Norton Activation key and apply it to activate your Norton products.
norton installation with product key
www.norton.com /setup
ReplyDeleteIntressting stuff written by you.I really enjoyed to read your complete blog.If any one want to know how to activate McAfee Antivirus, Call McAfee Toll Free Number +1-866-535-9089 or visit Mcafee activate for read updated Information.
I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
ReplyDeleteซื้อ antivirus
The writer of this blog deserves more exposure as such talent is rare to find, I am sharing this piece further and I appeal to the readers to do the same as it will boost up the morale and confidence of the writer and get instant support for Avast Antivirus visit at Avast Support Number & Avast Contact Number & Avast Phone number
ReplyDeleteWindows 10 Tech Support Number & Window 10 Installation Support Number +1-800-293-9401
ReplyDeleteWebroot Antivirus Support Number
ReplyDeleteWebroot Toll Free Number
webroot helpline
Webroot Antivirus Support
+1-800-293-9401