Symantec issued a warning about AnVi Antivirus, a new
"retrovirus," aka anti-antivirus, designed to kill legitimate
antivirus software. AnVi Antivirus is part of a social engineering
attack designed to trick users into getting rid of antivirus
products from such software vendors as AVG, Spyware Doctor,
Symantec, Microsoft, and Zone Labs.
The trick up the software's sleeve is that it actually uses
legitimate antivirus programs' own uninstallers to get users to
uninstall the software.
In particular, if a user executes a malicious file -- generally
dubbed Trojan.FakeAV by Symantec -- it launches a system-level
popup window warning them that their currently installed antivirus
product isn't certified and is compromising system performance, and
should be uninstalled. Regardless of whether or not a user clicks
"ok" or simply closes the window manually, AnVi then launches the
legitimate antivirus software's uninstaller. At that point, a user
would need to click the actual "uninstall" button for the software
to be removed.
Interestingly, the malicious file -- which may be installed by
malware, drive-by downloading, visiting fake antivirus websites, or
come bundled with other software -- actually searches out currently
installed antivirus software in the Windows registry subkey, then
"launches the uninstaller for certain legitimate antivirus
software," said Symantec.
At the same time, the malicious file attempts to download AnVi
Antivirus, a new clone of retrovirus CoreGuardAntivirus2009, not to
be confused with the Vormetric technology of the same name. Once
activated, "the program reports false or exaggerated system
security threats on the computer," said Symantec. "The user is then
prompted to pay for a full license of the application in order to
remove the threats."
However, the fake antivirus program itself is the threat, and
provides no antivirus functionality.