Symptoms

Removal instructions:

Analyzed By

Technical Description:

    When executed, this malware will drop the following files in %SYSDIR%:
blphc9pvj0e1ac.scr - this file will be set as the new screensaver and
                              it is detected by BitDefender as Trojan.FakeAlert.AAI
lphc9pvj0e1ac.exe - a copy of the initial file
phc9pvj0e1ac.bmp - the image used as wallpaper, detected by
                              BitDefender as Trojan.FakeAlert.AAF
    In order to be executed at every system startup, it adds the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    lphc9pvj0e1ac -> C:\WINDOWS\system32\lphc9pvj0e1ac.exe 
    It sets the new wallpaper and screensaver by adding/modifying the registry keys presended below (after these modifications the user will not be able to modify his background image and/or screensaver):
HKCU\Control Panel\Desktop
    OriginalWallpaper = C:\WINDOWS\system32\phc9pvj0e1ac.bmp
    TileWallpaper = 0
     WallpaperStyle = 0
    SCRNSAVE.EXE = C:\WINDOWS\system32\blphc9pvj0e1ac.scr
    ScreenSaveTimeOut = 600
    Wallpaper = C:\WINDOWS\system32\phc9pvj0e1ac.bmp
    ConvertedWallpaper = C:\WINDOWS\system32\phc9pvj0e1ac.bmp
HKCU\Software\Sysinternals\Bluescreen Screen Saver
    EulaAccepted = 0x00000001
HKLM\SOFTWARE\Microsoft\Software Notifier
    InstallID = 83ee564f-bf54-4dca-a4ff-f5601fbdefac
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    NoDispScrSavPage = 0x00000001
    NoDispBackgroundPage = 0x00000001

    It will also attempt to download a rogue antivirus from http://antivirusxp-2008.net - wich, once installed, will alert the user about false infections detected on his computer in order to mislead him to buy the licensed version of this software.

    After all these modifications, the current system state is saved as the "Last good restore point" using a VB script detected by BitDefender as Application.CleanSystemRestore.A.