Bogus security software vendor lands in US court

For a couple of years malicious software under various names including Messenger Blocker, WinAntiVirus Pro, WinAntiSpyware and System Doctor has been plaguing unsuspecting users with bogus Windows Messenger Service pop-ups. The originator of these dubious products has now landed in court in Washington State. An injunction was filed yesterday against Ron Cooke and his company Messenger Solutions LLC. It claims that the defendants have violated both the US Computer Spyware Act and the US Consumer Protection Act.

Unusually, the complaint contains significant technical detail. It appears that the defendants first set up a system that exploits the Windows Messenger Service (WMS) by transmitting advertising messages to the service over the internet. Inconveniently large numbers of pop-ups appeared on computers that had WMS enabled, advertising various products including pornography and pharmaceuticals. Some of the later messages then advertised pop-up blocking software. Those users that obtained and installed the software on "free trial" obtained temporary relief, but once the trial period expired bogus pop-ups were generated locally by the software in such numbers that systems became effectively unusable. The supposed products offered further relief on payment of around $20 to "register", but it is not clear whether this was an effective remedy. Some versions of the software had no "free trial" period.

The software has proved difficult to remove from infected systems. It performs some stealthing including not appearing in the install list and locking out Task Manager. It also adds itself to the user's bookmarks. Around 200,000 results were returned by Google for the four product names cited by the injunction, mostly guidance on how to removed the software. Since Windows XP SP, WMS has been disabled by default.

(mba)