Fake drive rescue utility demands $80 to restore desktop
First fake AV, now ‘fake HD’
By John E Dunn | Techworld | Published: 12:53, 23 May 2011
The fake software pushers just won’t give up. Security company Symantec has discovered a Trojan that tries to get PC users to pay for a worthless drive rescue utility by disrupting their system so convincingly they will believe that the PC’s hard disk is about to fail.
Trojan.fakefrag, as Symantec has named it, first throws up an error message deletes a couple of icons before wiping everything from the desktop and Windows Start bar. In fact, most of the disappeared files have simply been moved into the Windows ‘Current User’ folder in order to make it appear that the desktop's contents have disappeared.
In case this doesn’t convince the user that things are awry, it eventully stops the user changing the background image and even disables the Task Manager, throwing up the following message:
Related Articles on Techworld
“An error occurred while reading system files. Run a diagnostic utility to check your hard drive for errors.”
Conveniently, the Trojan then springs into life in the form of the bogus application ‘Windows Recovery’, and after running a diagnostic scan offers a way out of the unfolding mess for only $79.50 (£50) to buy its ‘advanced mode’ license.
Any user ignoring its advice will face a growing number or hard disk warnings messages before the Trojan eventually reboots the system at which point the system becomes almost unusuable. The only application able to run by that point will be the pestering Recovery application which can’t be closed.
If Trojan.fakefrag’s sales twist is new, the family of utilities it is trying to get users to hand over money for, UltraDefragger, is not. This family of applications first appeared in 2010 and seems to be growing into a valuable sideline for a Trojan industry that previously invented the hugely successful Fake antivirus scams. Once it was fake AV, now perhaps increasingly, 'fake HD'.
The most likely way to encounter Trojan.Fakefrag is by visiting a website (possibly a legitimate one) and being hit with in as a ‘drive-by’ automated social engineering attack. Getting rid of it should be simple using any up-to-date antivirus program, including Symantec’s, as well one of a number of free applications.
