Rogue Antivirus products have been around for years, and it seemed like they were getting more and more prevalent. However, during the beginning of 2014, infection rates from Rogue AnvtiVirus products reached all time lows.
Unfortunately, everything happens in cycles. Rogue Antivirus programs are no exception. Enter the newest player: Defru_rogue_AV. This “little nasty” modifies the Windows HOSTS file, essentially redirecting web traffic to a malicious website that contains the Fake AV warning. This redirection only happens if the user tries to connect to any 1 of 300+ websites listed in the newly altered HOSTS file.
Users are then duped into believing that their system is infected, and only by paying $4.75 for a license of Windows Security will your system be cleaned. Such is not the case, as those who end up paying the hefty $4.75 charge get rerouted to the same website, asking for the $4.75 again.
However, unlike Cryptolocker, this virus doesn’t do any damage, and is fairly easy to remove. It can be removed by performing a few simple steps.
- Remove the "w1ndows_<4characters>" registry entry from the Windows Registry located at "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run".
- Delete the corresponding "w1ndows_<4characters>.exe" file from the %appdata% directory.
- Remove the added entries from the HOSTS file.
Alternatively, any Antivirus program will have the ability to remove the virus as well.