Fake Eclipse Antivirus
Eclipse Antivirus, which is sometimes referred to as fake Eclipse Antivirus, obviously isn't real anti-virus software. Furthermore, there is something really wrong going on with Eclipse Antivirus, and no one on the Internet seems to be able to come to a consensus about what that is. It is possible that Eclipse Antivirus is part of a new trend in fake anti-virus software scams, and that, at least, is cause for concern.
Table of Contents
Eclipse Antivirus and its Website
A visit to the Eclipse Antivirus website is enough to create suspicion about the software it claims to offer. The site is full of peculiar, generic-sounding text, images that look as if they could be stolen and completely fake testimonials. The site offers a free trial download of Eclipse Antivirus, which is supposedly good for 15 days, as well as paid downloads of Eclipse Antivirus with three tiers of service, beginning at USD$50. You really can download the free trial on the site, and Eclipse Antivirus doesn't act like a rogue anti-virus application. Eclipse Antivirus doesn't generate fake alerts, or show false positives in scans, or prevent other applications from running. In fact, Eclipse Antivirus doesn't seem to do much of anything. Eclipse Antivirus runs, but it just sort of sits there. Eclipse Antivirus shows a reminder that you are using a "trial version" which will have to be paid for eventually, but that's it.
The disturbing thing about Eclipse Antivirus is that, despite its lack of typical rogue anti-virus program symptoms, its executable file is known malware. Eclipse Antivirus is ave.exe, and ave.exe is the executable file for the large, dangerous malware family distributed by the Trojan.Win32/FakeRea, which includes Vista Antivirus, Win 7 Total Security, and a bunch of others – the name the rogue programs take is usually determined when it figures out which version of Windows you have, and it chooses one or two other words at random to add to it. Ave.exe is behind some of the worst malware scams in existence. So, it really, really should not be the executable file for any real anti-virus software. Eclipse Antivirus's interface is the same as all of the rogue anti-virus programs that are part of the Win32/FakeRean scam, as well.
And That's Not All Eclipse Antivirus Can Do...
The really crazy thing is that's only the tip of the iceberg. Eclipse Antivirus has clones. Eclipse Antivirus has a lot of clones. So far, these include Ultim Security Antivirus, HDScan Antivirus, SpyBlocker, and UltimBlock Antivirus. All of these applications use an installer program that is spelled wrong, called instaler.exe. Each of these programs has at least one site that claims to be the site of the company selling the software, and some of them have two. The sites are identical in content. They have the same text, word for word, throughout all of their tabs and sub-pages. There are some superficial differences in their graphics and color schemes, and here and there one or two of them will have its own slogan before moving on to the stock text, but otherwise they are absolutely the same. At this point, the list of sites includes eclipseantivirus.com, hdscanantivirus.com, spy-blocker.com, storetrio.com, trioneck.com, ultimblock.com, and ultimsecurity.com.
All of these websites are hosted by the Phoenix, AZ company Atjeu Publishing, LLC, and at Atjeu Publishing, the contact person for all of them is Boris Vasilev. In the publicly available registration information for these sites, each one of them is registered to a different individual with a different address – and all but one of them are Russian. (The other one is Ukrainian.)
The programs these sites offer seem to do absolutely nothing, positive or negative, and so taken as a whole, the evidence points to a startling conclusion: There is a new variety of Russian fake anti-virus software scam. This time, instead of infecting your computer with a Trojan and trying to squeeze money from you with an anti-virus program that is malicious and obviously fake, they are setting up a bunch of sites that look and act harmless, but which don't actually deliver on what they claim to offer. In a sense, this is more of a straight-up scam, because a product is offered for sale, and it isn't what it should be. It's subtler and quieter than the malware spread by Trojans, and it's going unnoticed. The websites for Eclipse Antivirus and its clones began going up in December 2010, with additions in January and February 2011. If this is a new scam that has been around for two months, and no one has noticed because there is no fly-in-your-face, vicious malware associated with it, and that is a chilling prospect indeed.
What gave them away? They made a stupid mistake. All of the websites for these fake anti-virus programs have the same fake user testimonials on them. In fact, the testimonials are supposedly from fan pages on Facebook and from Twitter users, although none of these fake anti-virus programs has a Facebook page or other social networking identity. On each page for each fake anti-virus program, the testimonials were edited to include the name of whatever program that particular page was going to promote. The problem is that they missed one! One of the testimonials, variously credited to "Eric" or "cericsmith" includes a comment on Eclipse Antivirus, regardless of which page it appears on or which program it is supposed to be praising. Thank goodness for bad find-and-replace!
File System Details
# | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|
1. | c:WINDOWSsystem32drivers.exe | |
2. | c:WINDOWS.dll | |
3. | c:WINDOWS.exe | |
4. | c:WINDOWSsystem32.dll | |
5. | c:WINDOWSsystem32.exe | |
6. | c:WINDOWSsystem32drivers.dll | |
7. | %PROGRAM_FILES%\Fake Eclipse Antivirus | |
8. |
C:\Documents and Settings\ |
|
9. |
C:\Documents and Settings\ |