Detection Names :	Fraudtool. Gen:Heur.Krypt.9. Trojan.Win32.Fraudpack.gen
Category:	Malware
Type:	Rogue
Platform:	W32

Deceptive or fraudulent antispyware/antivirus software that uses misleading or high-pressure tactics (e.g., falsely claiming a malware infection or deliberately infecting the machine) to pressure users into installing or purchasing the software.

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

When searching our Virus Descriptions database for a specific program (e.g., Rogue:W32/Example.A), you may be directed to this page if the overview below sufficiently describes the program.

Alternatively, you may be directed to this page if no description matching that specific query is currently available. You can submit a sample of the suspect file to our Response Lab for further analysis via:

About Rogues

Rogue antispyware or antivirus programs typically closely mimic legitimate applications, using similar (or even identical) styling and packaging to convey legitimacy.

The quality of the software itself is also suspect; most rogues are deliberately fraudulent, but some are simply substandard products that present false information. For example, one rogue displays a list of fake "threats" seen below:

Note the misspelling of threats as "threads". The two files listed are common and are found on any installation of Windows. They are text files that contain configuration information for Windows. They are not executable programs.

Others present false positives due to bugs in the software's code, not because of an outright lie. Code corrections can move a suspected rogue off the antispyware detection lists.

Many rogue applications present outright false positives as a means to alarm computer users into buying their application, as can be seen in the screenshot below:

Distribution

Many rogues are distributed using very questionable sales tactics. These products are often promoted by websites which aggressively display notices that the visitor's machine is infected and requires disinfection.

Detecting problems in a demo or trial version, but requiring a license to remove those problems is also a typical tactic:

Free, fully functional trial periods are usually not offered. Users will be told that they need to buy protection even if there is nothing dangerous found.

Affiliate marketing programs are often used to sell rogue antispyware. Every time an affiliate product is installed and sold, a commission is paid. The result is a strong pressure to sell, by any means necessary.

In the most extreme cases, spyware or other malware will sometimes silently install rogue antispyware, which then offers to remove the spyware.Trojans and toolbars are other sources prompting for rouges to be installed.

Rogues that have been available for a while are also often repackaged and given new names in order to gain new, unsuspecting users.