In a bid to create even more panic among the unfortunate users who have been tricked into downloading this fake AV solution and make them pay for a “full version”, the latest rogue solution that TrendLabs is warning about contains also a .DLL file that gets inserted into the Layered Service Provider (LSP) chain.
So, instead of just bombarding the user with the usual fake virus alerts, it also prevents your browser from opening specific sites – usually the most visited ones in general (facebook.com, youtube.com, myspace.com, etc.).
The contents of the sites in question is replaced by this:
It’s interesting to note that there are some users that won’t be faced with this alert, but that is no reason to celebrate. It just means that the fake AV application that goes by the name “Internet Security 2010” is already installed, thus completing the illusion – if you installed it, you will be able to access those sites again.