Windows users have come into contact with a new tech support scam that fakes a Bluescreen of Death (BSOD) in order to trick them into buying fake support software.  The scam, which first started to make rounds in late November, takes on the form of a fake troubleshooter program and also prevents normal system operation.

This Windows support scam is distributed as a hacked software installer.  When a user attempts to install the software, they instead download a number of unwanted executable files.   These files include programs to block removal attempts, display the fake BSOD screen, run the troubleshooter program, and even take screenshot captures of a user’s desktop and upload them online.

Once all malicious programs are downloaded they will start to run in order, first by launching the fake blue screen of death.  For anyone not familiar with a BSOD, this is a computer crash alert that typically displays when Windows system files have become corrupt or a hardware failure has occurred.  Real BSOD crashes require a full system restart to fix and that should be the first tip off that this malware is a scam.

After the BSOD screen displays, the malware will launch a separate window called Troubleshooting Windows.  This troubleshooting program mimics the traditional Windows troubleshooter and will proceed to run a system scan. The scan results are fabricated and always return a list of corrupt or missing files.

The Fake Troubleshooter Scan in Action

The next step of the scam is to inform users that in order to repair the damaged  files, they need to buy a copy of Windows Defender Essentials.  This is a trick as Windows Defender and Security Essentials are already part of the Windows platform.  Using a well-known set of security programs as part of their malware allows the scammers to come across with a degree of legitimacy.  Of course, if the compromised user agrees to pay the fee, all they are doing is removing the temporary lock from their computer.

One final concern with this malware scam is the screen capture functionality.  The researchers who discovered the scam noted that when the malware activates, it is able to capture a screen shot of the user’s desktop and host that image online.  It is unclear what purpose this functionality serves but it is suspected that it might be used for future blackmail or identity theft attempts.

While this malware is disruptive, one piece of good news is that it is not nearly as dangerous or as well designed as many type of ransomware that can lock down an entire computer.  Infected users can bypass the PayPal purchase screen by accessing a system dialogue box.

Only do this if infected

Press the Ctrl+O keyboard combination

Type: and then press enter

After completing these steps, the malware will be tricked into thinking that you paid the PayPal fee and will release your computer.  At this point, you should perform a computer malware scan and ensure that all infected files have been removed.