Microsoft added detection support of “Win32/InternetAntivirus (also dabbled with the names General Antivirus and Personal Antivirus)” to Windows Malicious Software Removal Tool. “Win32/InternetAntivirus follows the familiar path of fake online scanner leading to the rogue downloader, which in turn installs the rogue itself. This rogue downloader also downloads a password stealer called TrojanSpy:Win32/Chadem. Win32/Chadem tries to grab FTP usernames and passwords that the rogue creators can then use to compromise servers in order to host more malware. They use new domain names every day, often registering multiple names at a time, like scanfan4.info, star4scan.info and scanstar4.info,” revealed Hamish O'Dea of Microsoft.