New evil malware!

I have a PC here that has a new infection on it (new to me anyway). It is a PERFECT replica of Microsoft's Security Essentials (MSSE), but it exhibits the same behavior as other rogues that tell you every file is infected. For example, if you hit CTRL+ALT+DEL, it will tell you the file tskmgr.exe is infected. If you type appwiz.cpl in the Run box to open Add/Remove Programs, it will tell you that it's infected, and so on. At first, I thought it was the legit MSSE because it looks exactly the same, I think it visually is the same GUI or "shell". I looked through the All Programs list and when I didn't see Microsoft Security Essentials listed, I knew it was rogue. I tried to grab a screen shot of it, but it wouldn't let me run Paint (or any other Paint type of program) to paste the shot into, it kept telling me mspaint.exe was a trojan and it was infected. It's "core" program can be found here:
Windows XP: C:\Documents And Settings\%user_name%\Application Data\defender.exe
Windows 7/Vista: C:\Users\%user_name%\AppData\Local\defender.exe (also check the Roaming and LocalLow folders)

Just a heads up for those of you running MSSE. If you get this rogue, you may not realize it's actually a virus for some time because it does look so much like MSSE, and it even says "Microsoft Security Essentials" in the title bar of the warning windows.

 

dlb, please tell us, where did the rogue MSSE come from? Did you download it from a particular site, or what?

 

Thanks DLB, I'm sure it's just a matter of time before I come across that one too!

And yes, do you have any idea where the user found this one?

 

It wasn't on my PC, it was on a clients PC, and I have no idea where they picked it up. It really wouldn't matter that much 'cuz these rogues move around A LOT!! Just because a PC was infected from a particular site does not mean that visiting that same site will again infect other PCs (however, it's not a good idea to knowingly visit a site that has infected PCs in the past). For example, read my experiences in this thread. I was disturbed by this particular rogue mainly because it looked IDENTICAL to Microsoft's Security Essentials. All the other rogues I've dealt with (and there's been DOZENS) were usually fairly easy to identify as rogues just by looking at their window, or by the name, or by the spelling and/or grammar errors, but this one had me convinced for a while that it was, indeed, Microsoft Security Essentials. Scary.