FANDOM


Wireshark Antivirus is a rogue anti-spyware program from the same family as Sysinternals Antivirus. This rogue attempts to confuse users by using a name that is well known in the security community. By using the name Wireshark, the rogue tries to confuse users into thinking that they are related to the the legitimate network protocol analyzer called Wireshark that is commonly used to diagnose the traffic that is flowing over a network. WireShark Antivirus, though, is a program that ransoms the proper operation of the user's computer until the user purchase it. Wireshark Antivirus is promoted through the use of Trojans that will install the program onto the user's computer without permission as well as advertisements pretending to be online anti-malware scanners.

Payloads

Once Wireshark Antivirus is installed, it will be configured to start automatically when Windows starts. Once started it will perform a scan and state that the user has numerous infections on their computer, but will not allow the user to remove or disinfect them until they purchase the program. The reality is that all of the files it states are infections are actually legitimate Microsoft Windows files. 

While Wireshark Antivirus is running it will also block applications from running on their computer. When the user attempts to run a program Wireshark Antivirus will terminate it and display this message:

Security Warning:
The file C:\Program Files\MalwareBytes' Anti-Malware\mba.exe is infected.
Running of application is impossible.

Please activate your antivirus software.

This message is completely false and only being displayed to stop the from running a legitimate security software that may remove Wireshark Antivirus.

Community content is available under CC-BY-SA unless otherwise noted.