NavaShield is a fake antivirus software. It fools users into downloading and installing malicious software ("malware") by giving them false alerts and running fake scans with exaggerated results. It tries to fool the user into buying a "full" version of the product. However, all NavaShield really does is give fake results in virus scans, download more malware and, for those fooled into buying the registered version of the fake product, identity theft.
How it works[change | change source]
NavaShield had its own website, navashield.com. It looked like a legitimate antivirus website, such as those by Symantec and McAfee. Because of this, many Windows users were fooled and decided that the program looked trustworthy enough to download.
Once downloaded, the user must manually install NavaShield, by clicking on a link. Once installed, NavaShield will run and perform a scan. For the first week, NavaShield just tells the user that their system is protected. After the week has gone by, NavaShield starts its damage. It starts with annoying "ticking" noises and a popup telling the user that their trial is over. If the user leaves it like this long enough, NavaShield will damage the user's system.
The most common thing that the user notices is the ticking noise. After the countdown the same popup follows, except a loud, annoying laughing sound plays through the computer's speakers. This is followed by the browser opening random pornographic sites, and Windows Explorer loading random folders. It also tries to email fake addresses and Microsoft Sam starts swearing at the user. This simulates a real malware infection, fooling users into thinking that they need to buy NavaShield to remove it. During this, Task Manager is blocked to ensure that the process is not killed.
The second, more rare thing is a fake format of the hard drive. A NavaShield "your computer is infected" popup appears in the corner. In the centre of the screen a fake error message saying "C Drive is being deleted" slowly expands to cover the entire screen. The Internet Explorer popup blocked sound plays continuously and program execution is blocked. After the program has ended the computer displays a blank blue screen.
System Changes[change | change source]
Files Created[change | change source]
%ProgramFiles%\Nava Labs\NavaShield\NavaUpdater.exe %ProgramFiles%\Nava Labs\NavaShield\NavaBridge.exe %ProgramFiles%\Nava Labs\NavaShield\NavaDebugger.exe %ProgramFiles%\Nava Labs\NavaShield\NavaShield.exe %UserProfile%\desktop\NavaShield.lnk
Folders Created[change | change source]
%ProgramFiles%\Nava Labs %StartMenu%\Nava Shield %StartMenu%\Programs\Nava Shield %ApplicationData%\Programs\Nava Shield
Registry Changes[change | change source]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NavaBridge "C:\Program Files\Nava Labs\NavaShield\NavaBridge.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NavaDebugger "C:\Program Files\Nava Labs\NavaShield\NavaDebugger.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NavaUpdater "C:\Program Files\Nava Labs\NavaShield\NavaUpdater.exe"