Fake Removal Tool Wipes Your Computer Clean

If rogue antiviruses are already a common hazard for the Internet user, a fake removal tool is a new and unpleasant surprise we’ve crossed paths with, the more so as it’s labeled as a BitDefender product.

It’s a common thing for cyber-crimes to piggyback on popular events or products. After the intensive black hat SEO attempts trying to hijack searches related to the Stuxnet worm, cyber-criminals came up with a malicious file impersonating the BitDefender Stuxnet Removal tool that actually deletes the content of the computer’s C: drive.

The so-called removal tool features an icon depicting a syringe. Right after the tool has been run, it drops and executes a batch file that performs some Registry tweaks to annoy the user then starts deleting all files on the above-mentioned drive.

For instance, prior to deletion, the Trojan swaps the mouse button and changes file associations for exe, mp3 and video files in order to prevent the user from opening these file formats. It also tries to silently delete all files – only files that are already in use are spared. After 10 minutes, the Trojan forces a system reboot from which your system will likely fail to come live again.

Running the Trojan will not only render your system unbootable, but you may also lose valuable information, such as e-mail conversations, photos or documents you may have stored on the C: drive. BitDefender has already added a signature for this fake removal tool, identified as  Trojan.BAT.Delall.

Whenever downloading free utilities from the Internet, make sure that the download repository is trustworthy and that you scan the respective file with your antivirus of choice. If possible, you should only download the file from the producer’s official page. The BitDefender removal tool for Stuxnet is available for download from the Downloads section of Malware City.

Information in this article is available courtesy of Răzvan Benchea, BitDefender Malware Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of their respective owners.