Thursday, December 1, 2011

What is MS Antivirus (malware)

MS Antivirus
Developer(s) Bakasoftware, Innovative Marketing, Inc.
Operating system Microsoft Windows
Type Rogue software
MS Antivirus (also known as Spyware Protect 2009) is a scareware rogue anti-virus which claims to remove fake virus infections found on a computer running Microsoft Windows. It attempts to scam the user into to purchasing a "full version" of the software.


MS Antivirus has a number of other names. It is also known as XP Antivirus, Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Pro, Antivirus Pro 2009, Antivirus 2007, 2008, 2009, 2010, and 360, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Spyware Protect 2009, Winweb Security 2008, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2008, XP AntiSpyware 2008, 2009 and 2010, Antivirus Vista 2010, WinPCDefender, Antivirus XP Pro, Anti-Virus-1, Antivirus Soft, Antispyware Soft, Antivirus System PRO, Antivirus Live, Vista Anti Malware 2010, Internet Security 2010, XP Antivirus Pro, Security Tool, VSCAN7, and Total Security.

Symptoms of infection

Each variant has its own way of downloading and installing itself onto a computer. MS Antivirus is made to look functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to "purchase" it. In a typical installation, MS Antivirus runs a scan on the computer and gives a false spyware report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware ‘found’ and the user has to either click on a link or a button to remove it. Regardless of which button is clicked -- "Next" or "Cancel" -- a download box will still pop up. This deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase MS Antivirus. If the user decides not to purchase the program , then they will constantly receive pop-ups stating that the program has found infections and that they should register it in order to fix them. This type of behavior can cause a computer to operate slower than normal.

MS Antivirus will also occasionally display fake pop-up alerts on an infected computer. These alerts pretend to be a detection of an attack on that computer and the alert prompts the user to activate, or purchase, the software in order to stop the attack. More seriously it can cause a picture of a Blue Screen of Death to be pasted over the screen and then for a fake startup image to be displayed telling the user to buy the software. The registry is also modified so the software runs at system startup. The following files may be downloaded to an infected computer:

  • MSASetup.exe
  • MSA.exe
  • MSA.cpl
  • MSx.exe

Depending on the variant, the files will have different names and therefore can appear or be labeled differently. For example, Antivirus 2009 will have the .exe file name a2009.exe.

In addition, in an attempt to make the software seem legitimate, MS Antivirus can give the computer symptoms of the "viruses" that it claims are on the computer. For example, some shortcuts on the desktop may be changed to link instead to porn websites.

Malicious actions

Most variants of this malware will not be overtly harmful, as they usually will not steal a user's information (as spyware) nor critically harm a system. However, the software will act to inconvenience the user by frequently displaying popups that prompt the user to pay to register the software in order to remove non-existent viruses. Some variants are more harmful; they display popups whenever the user tries to start an application or even tries to navigate their hard drive, especially after they restart their computer. It does this by modifying the Windows registry. This can clog the screen with repeated pop-ups, potentially making the computer virtually unusable. It can also disable real antivirus program s to protect itself from removal. Whichever variant infects a computer, MS Antivirus always uses system resources when running, potentially making an infected computer run slower than before.

The malware can also block access to known spyware removal sites and in some instances, searching for "antivirus 2009" (or similar search terms) on a search engine will result in a blank page or an error page. Some variants will also redirect the user from the actual Google search page to a false Google search page that states that the user has a virus and should get Antivirus 2009 with a hotlink to the virus’s page.

AntiVirus2009 can also disable legitimate anti-malware program s and prevent the user from opening or re-enabling them. Anti-malware applications disabled by AntiVirus2009 include McAfee, Spybot - Search & Destroy, AVG, Malwarebytes' Anti-Malware, and Superantispyware.

MS Antivirus is constantly updated and re-released to prevent detection by common legitimate anti-virus scanners


In November 2008, it was reported that a hacker known as NeoN hacked the Bakasoftware's database, and posted the earnings of the company received from XP Antivirus. The data revealed the most successful affiliate earned USD$158,000 in a week.

Court actions

On December 2, 2008 the U.S. District Court for the District of Maryland issued a temporary restraining order against Innovative Marketing, Inc. and ByteHosting Internet Services, LLC after receiving a request from the Federal Trade Commission (FTC). According to the FTC, the combined malware of WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus has fooled over one million people into purchasing the software marketed as security products. The court also froze the assets of the companies in an effort to provide some monetary reimbursement to affected victims. The FTC established claims that the companies established an elaborate ruse that duped Internet advertising networks and popular Web sites into carrying their advertisements.

According to the FTC complaint, the companies charged in the case operated using a variety of aliases and maintained offices in the countries of Belize and Ukraine (Kiev). ByteHosting Internet Services is based in Cincinnati, Ohio. The complaint also names defendants Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno in its filing, along with Maurice D’Souza, who is named relief defendant, for receiving proceeds from the scheme.

Learn about more Trojan Viruses like the Zlob Trojan by clicking here
Do you think you have this? learn how to remove MS Antivirus (malware)


  1. Thanks for the info. I think, to install a reliable Virus Protection software like kaspersky or mcafee in our system make it free from various infections.
    As a computer technician i always recommend my clients to use antivirus and keep it up-to date.

  2. Viruses are the most dangerous thing for any computer because it deletes your important file. It is better to take strong antivirus protection software.
    Vastu Shastra
    marriage astrology