The following article (Written by Daniel Radu of the Microsoft Malware Protection Center) comes from the Microsoft TechNet Blog (LINK) http://blogs.technet.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie.aspx . You should pay close attention to what the fake alert can look at in each of the browsers (At the bottom of the message you get “Upgrade to a reliable solution”).

**************************************************************************************************************************************

Rogue:MSIL/Zeven wants a piece of the Microsoft Security Essentials pie

A new rogue has started making its appearance from compromised websites: Rogue:MSIL/Zeven. We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation.

Let us say from the beginning that the guys behind this rogue like to copy big-time. They start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox.  This is meant to be a social engineering scheme in order to trick the user into downloading and installing the rogue, relying on the user’s trust of his day-to-day browser.

The similarity between the fake warning pages is so accurate that it can trick even highly trained eyes.

In the Firefox page, for example, you can see it’s not the real warning page because they misspelled ‘out’ and wrote ‘Get me our of here’.

Chrome

Internet Explorer

But for all three browsers, a common indication that you are not looking at the actual browser warning is the offer of some sort of an “update” or “solution”. All the “updates” point to a copy of MSIL/Zeven that promises to provide “a new approach to windows detection”. Internet Explorer, Firefox, and Chrome do not offer such a solution when a website is blocked.

When installed, the product looks very genuine: it allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings. These features are usually available in various legitimate antivirus solutions. However, the features don’t work; everything is there just to look nice, not to offer any kind of protection (just like in all other rogue antivirus programs).

Of course once it scans your computer it’s bound to claim it found something scary (malicious), as shown below:

As usual with rogue scanners, although it “found” malicious files, it claims it cannot delete them unless you update. That implies that you need to pay for the full version, which has the ability to download updates. However, these files are totally bogus; no such files exist in the user’s computer.

If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to “help” and ”protect” you while completing your purchase. Of course these features are totally worthless and don’t actually do anything in the way of securing your credit card details.

The main page of the rogue antivirus program itself looks awfully close to the Microsoft Security Essentials webpage – more copying from the bad guys. The people behind it have even copied the awards received by Microsoft Security Essentials and link to the Microsoft Malware Protection Center -  pretty sneaky of them.

This is a screenshot of the rogue’s main webpage:

And, by way of contrast, this is a screenshot of the genuine Microsoft Security Essentials page:

It seems that these guys want to profit on the good reputation and success of Microsoft Security Essentials in order to make money – but we remind our customers that Microsoft Security Essentials can be downloaded at no cost. And it really does protect your computer from malware!

We detect both the downloader of the rogue and the rogue itself as Rogue:MSIL/Zeven.

Until our next encounter: browse safely!

Daniel Radu
MMPC Dublin

- Microsoft will pay you to send this to everyone you know

- An African Prince will pay you to help him get money from his country

- Warning: Tell everyone you know …..

(Just as an example of the 1,000’s of emails that seem to not go away).

     One of those such emails (Listed Below) is at the heart of today’s post.  Lets start with the idea that NOT EVERYTHING POSTED ON THE INTERNET IS REAL (and no Al Gore did not invent the internet).  The email (of which I removed the name of the person who forwarded it me, as to not call them out) is as follows

**************************************************************************************************************

Date: Sunday, March 14, 2010, 7:54 AM
Fw: please read concerning your phone

I dialed ’0′ to check this out, and the operator confirmed that this was correct, so please pass it on.. (l also checked out snopes.com . This is true, and also applies to cell phones!)
PASS ON TO EVERYONE YOU KNOW

I received a telephone call last evening from an individual identifying himself as an AT&T Service Technician (could also be Telus) who was conducting a test on the telephone lines. He stated that to complete the test I should touch nine (9), zero (0), the pound sign (#), and then hang up.  Luckily, I was suspicious and refused.

Upon contacting the telephone company, I was informed that by pushing 90#, you give the requesting individual full access to your telephone line, which enables them to place long distance calls billed to your home phone number.

I was further informed that this scam has been originating from many local jails/prisons. DO NOT press 90# for ANYONE…

The GTE Security Department requested that I share this information with EVERYONE I KNOW.

After checking with Verizon they also said it was true, so do not dial 90# for anyone !!!!! PLEASE HIT THAT FORWARD BUTTON AND PASS THIS ON TO EVERYONE YOU KNOW!!!

****************************************************************************************************************

Now the truth about the email concerning #90 on your phone. The email is actually a fake for the most part, even though it claims to have been checked at snops.com. The true link at snops.com is (LINK)http://www.snopes.com/fraud/telephone/jailcall.asp and that shows that only a very small number of people could be affected by this situation and it does not involve home or cell phones. Only people in offices that use older phone systems called PBX that use the #9 to get an outside line before dialing could have an issue with this. So unless you are in an office and use “9” before calling outside numbers the “concerning your phone” email does not affect you.

From snops.com

This specific email has been around since 1998 (and it keeps on ticking like the a certain bunny). Some of the signs that should alert you to the fact that this is a fake are

• “I dialed 0 and the operator confirmed….”  / Really I have never known an operator that can do more than place a call (Old school), and that’s about it, operators are not PR departments and I’m sure if this was a true risk that the phone companies would NOT rely on operators to get the word out .
• “I also checked on snopes.com…..” / OK – Snopes.com is a well known resource for looking for information on scams, not snops.com (and it seems that spelling is an issues with every single one of these emails).  So if this was legit wouldn’t they want to include the link so that we could read more ourselves.  Any legit report will include links when other sites are mentioned (AS in what I did above)
• “PASS IT TO EVERYONE YOU KNOW….” / Because if you don’t the end of the world will happen (Sarcasm), but anytime that you get the dramatic tell everyone, yet the note includes nothing to back up its claims, should tell you Woooo.
• Note the use of “AT&T service tech” on top of the email but “GTE security department” at the bottom. RED LIGHT!!
• Lastly don’t forget they also talk about Verizon at the bottom of the email / This is just thrown in to make sure you hear as many names (and hopefully one that you use) as possible, so that it sounds official.

So with all that being said, and with the age of the internet that we are in.  Before forwarding that Latest and Greatest Chain Email Letter – Check it out and make sure its real.  Everyone will like their email inboxes a lot more if we could just let some of these email DIE.

Some ways to check –

- Run the subject of the email as a search on Bing or Google search, see what the results are (and I don’t mean just the 1st listed result)

- Go to sites like Snopes.com and do a search for the subject on the site and see what results they give you.

- Use common sense