The world of misleading applications (aka "rogue antispyware") never ceases to amaze with clever social engineering and tricks to con and persuade users into parting with their hard-earned cash. We have recently noticed a sharp increase in the number of these applications. One example we came across recently that is really contributing to the trend is called AVSystemCare.

This misleading application is unique in two ways:

- It uses a clever trick that makes it easy to generate an endless amount of clones that while looking and behaving

the same, are named differently.

- It offers localized versions in numerous languages.

AVSystemCare uses a clever trick to allow all of its clones to use identical files, but yet have different names. Installing any of these clones involves downloading a small file from the clone Web site. When the user executes this file it will download the main application components. All of the application files, including the files downloaded from the clone Web sites are identical (for clones of the same language).

So, if these files are the same for every clone, then how does the installer know which name to use when installing the application? The answer lies in the user’s cookies. After you have visited the clone Web site to download the application, several cookies are stored on your computer. Visiting a couple of clone Web sites shows that these cookies are very similar for each domain:

Click to view larger image

When the downloaded file is executed it parses the user’s cookies to find ones with names ‘gli’, ‘gai’ and ‘gI’. Domains that have these cookies will also have a randomly named cookie containing the clone application name in the Content field:

Click to view larger image

The installer uses this name in the subsequent installation. The most recent cookies that match will be used, so if you happen to download clone A, and then visit the Web site of a clone B, then when you install the application it will be called clone B.

You might be wondering what happens if you clear your cookies prior to installing the application. If the installer cannot find the cookies it is looking for, then it uses a default name. For English clone versions this name is AVSystemCare. Our tests also showed that the AVSystemCare cookie engine successfully parses cookies for Internet Explorer and FireFox, but not Opera or Safari.

In case you’re not happy with the name of your AVSystemCare clone, you can simply edit your cookies before installing it to get the name of your choice:

Click to view larger image

Click to view larger image

As well, the makers of AVSystemCare have not limited themselves to English language clones; so far, we have seen clones in 11 different languages – English, Portuguese, German, Danish, Spanish, Italian, French, Japanese, Dutch, Norwegian, and Swedish. At the moment there are over 70 domains hosting clones of AVSystemCare in different languages; for example avsystemcare, virenfrierpc, norwayvirus, etc.

As before, all of the clones for a given language are identical except for the name, as shown in these Japanese and Norwegian clones:

Click to view larger image

Click to view larger image

The following video demonstrates the similarities between AVSystemCare and some of its clones:

As the AVSystemCare machine continues to pump out clone after clone, users need to be extra vigilant. Symantec’s new microsite on misleading applications offers some insight into these threats, how they attack and how to protect yourself against them.