A-Fast Antivirus Scam

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

A-Fast Antivirus is a rogue anti-spyware or Rogue Antivirus program that uses misleading methods to scare users into thinking that their computers are infected with malware. It uses javascript and css within your web browser, including MSIE and Firefox, to mimic another well known antivirus program. It has been dubbed "scareware" by some writers.

A web site has malicious javascript code that causes an interface to appear, mimicking a legitimate looking antivirus scanning software. If you click one of the popups it installs a rogue security application.

A-Fast is known by other names:

  • Critical System Warning!
  • Fast Windows Antivirus

Update: Another Rogue Antivirus program has emerged in 2011 that, like A-Fast, looks like a anti virus interface, however, is much more convincing and some variants have the ability to automatically install in MSIE and Firefox! Internet Security 2012 Virus is more aggressive than A-Fast.

Many occurrences of A-Fast are reported by people doing Google Image Searches. A-Fast can hijack Google Image search result pages.

Files 

c:\Desktop\A-fast Antivirus.lnk

Folders 

c:\ProgramFiles\A-fast

Registry entries 

Key: HKEY_CURRENT_USER\Software\A-fast
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  Value: DosableTaskMgr
  Data: 01, 00, 00, 00
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  Value: fast
  Data: C:\Program Files\A-fast\A-fast.exe
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileAuthorizedApplications\List
  Value: C:\Program Files\A-fast\A-fast.exe
  Data: C:\Program Files\A-fast\A-fast.exe:*:Enabled:afast
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  Value: C:\Program Files\A-fast\A-fast.exe
  Data: C:\Program Files\A-fast\A-fast.exe:*:Enabled:afast

Example

There are more than one variants of A-Fast, so it may look slightly different depending on what version you encounter. The following is the version that I encountered. Although I didn't get infected, I proceeded enough to do some research and get some screen captures.

 

This is the popup you will encounter (Firefox Example) and you have no choices other than "OK". Here is where it is recommended you use Windows Task Manager and simply kill the web browser process to close your browser before anything is installed.

A-Fast01.png

 

If you click OK on the dialog box above, you will see this Fake Antivirus scan. It is actually your web browser after being hijacked by Javascript and CSS to mimic the look of a legitimate antivirus application.

 

A-Fast02.jpg

 

If you try to navigate away from the page or close the browser window another popup will urge you to proceed with the scan. Remember, these are ALL FAKE WARNINGS designed to scare you and trick you into allowing a virus to be installed on your system.

 

A-Fast03.png

 

 

The following link is a LIVE EXAMPLE of the A-Fast Fake Virus Scanner. DO NOT CLICK ON THIS IF YOU ARE NOT AN EXPERT IN PC SECURITY because it will attempt to install A-Fast on your system. This link is provided as a reference for research purposes only. This link was still known to be an active working example of A-Fast on March 2011. At some point it would be nice to see authorities somewhere shut this example down.

Virus Link Syntax:

http://utgvkxlo.co.cc/fast-scan/

Ironically, doing a Google Image Search produces an image from a web site at http://reco-chat.com.ar/ which is a hotlink to the virus. It is not fully understood why the google image link redirects to the .cc domain, while going directly to the URL Google reports the image at does not. Indications suggest an exploit in Google Images, which continues to be ignored by Google even a year after we first detected it.

 

 

Retrieved from "http://wiki.robotz.com/index.php?title=A-Fast_Antivirus_Scam&oldid=6339"