Skip to main content
Microsoft Security

Beware of Hicurdismos: It’s a fake Microsoft Security Essentials installer that can lead to a support call scam

(Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, Teaming up in the war on tech support scams.)

Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed?

We recently discovered a threat detected as SupportScam:MSIL/Hicurdismos.A that pretends to be a Microsoft Security Essentials installer. Microsoft Security Essentials is our antimalware product for Windows 7 and earlier. In Windows 10 and Windows 8, Windows Defender provides antimalware protection and is installed and enabled by default when Windows is installed. However, some users may believe they also need to download and install Microsoft Security Essentials.

Hicurdismos uses a fake Windows error message (sometimes called a “blue screen of death”, or BSoD) to launch a technical support scam. A real BSoD is a fatal error in which the screen turns blue and the computer crashes. Recovery from a BSoD error typically requires the user to reboot the computer.

The fake BSoD screen includes a note to contact technical support. Calling the indicated support number will not fix the BSoD, but may lead to users being encouraged to download more malware under the guise of support tools or software that is supposed to fix a problem that doesn’t exist.

Interestingly, the fake BSoD screen used by Hicurdismos mimics an error message used in Windows 8 and Windows 10, so users of these new Windows versions could also be at risk of being tricked by Hicurdismos.

The threat of technical support scams has been around for years, but it’s recently been observed to be growing. We’ve seen attackers becoming more sophisticated with their social engineering tactics to try to mislead users into calling for technical support and then they are asked for payment to “fix the problem” on the PC that does not exist. Real error messages from Microsoft do not include support contact details. See the bottom of this blog for links and information on how to contact Microsoft Support.

Hicurdismos is an installer that arrives via a drive-by download. SmartScreen Filter in Internet Explorer and Microsoft Edge flags this threat using the below prompts cautioning the user to not run or save the malware:

You will not get warnings like these when downloading and installing legitimate programs from Microsoft.

If the malicious installer is downloaded on the computer, it mimics the real Microsoft Security Essentials installer by using a similar icon. However, closer inspection will reveal differences in the file properties, including the filename. Hicurdismos uses the file name setup.exe.

The file setup.exe is a SmartInstaller package, which contains a malicious file that pretends to be Microsoft Security Essentials. Unlike the installer, the malicious file has the same file property information as the legitimate Microsoft Security Essentials executable.

When run, the malware immediately renders the fake BSoD experience. To do so, it performs the following:

The malware drops a copy of itself in the following path:

%SystemRoot%\bluesquarez llc\sysprotector\microsoft security essentials.exe

It also creates an auto start launch point in the registry:

In subkey: HKEY_USERS\<SID/user>\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: “Sysprotector

With data: “%SystemRoot%\bluesquarez llc\sysprotector\microsoft security essentials.exe

Mitigation and Prevention

Hicurdismos misleads users and lures them into calling a number that can lead to a fake technical support scam. Like most social engineering techniques, it can be avoided by knowledge and alertness. Some important things to note:

If you are infected with this scam, use Windows Defender Offline to scan your PC.

Report the incident to Microsoft and contact your local scam-reporting organization. Organizations for the United States, Canada, United Kingdom, and Australia include:

When you receive a phone call or see a pop-up window on your PC and you are uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk.

In case you have already engaged with and paid for a fake support:

Reference SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

Francis Tan Seng and Alden Pornasdoro

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity.