tumblr hit counter

FakeAV + Ransomware = Windows Expert Console

Nov 28

During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn’t mean that our good “old friends” known as FakeAV aren’t around. Fake antivirus have been infecting users for years and they have not disappeared,  although it is true they are not as prevalent as they were in the past. This week we have seen a rise in FakeAV attacks using a new aggressive ransom-like approach.

The malicious file uses the following icon:

windows expert icono

Usually it gets in the computer under the name “cleaner.exe”, although we have seen it using different names. As soon as it is executed, it appears a screen where it shows the installation of a program called “Windows Expert Console”:

windows expert 1

It only takes a few seconds, and before user is able to react it restarts the computer. Once restarted the following screen will show up and we won’t be able to do anything:

windows expert_eng

If you try to get back to the desktop or run any application, you won’t be allowed. The only thing you can do is to click on that “Remove All” button, and that will take you to a different window in order to buy a license of this FakeAV. It costs $99.

At the same time we found this malware, we detected another variant, this one is less aggressive (it does not block your computer) although they share the same interface, the only difference is the name, this new one is called VirusBuster, the same as the historical antivirus company that closed last year. In this case you get this kind of warnings to make the user pay the license fee:

virusbuster3

As we mentioned, both programs share the same interface, and they are in 4 different languages (English, Spanish, German and French), in the following animated GIF you can see how they look like:

virusbuster-windows expert

In case you have been infected with any of these, you can use our free malware removal tool Panda Cloud Cleaner.

Post to Twitter

  • (5) Comments

Comments

  1. Chris says:

    That’s all very well but this virus won’t let you open the installer…

  2. You are saying that once it enters in PC users don’t find any time to react and the PC gets reboot. And after the reboot a particular screen appears, which allows user to don nothing except to click on button. So, if the malware does not allow user to launch any application, then how could he launch Panda Cloud Cleaner?

Trackbacks

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories