- presence of the files Documents and Settings\[user-name]\Application Data\seres.exe and Documents and Settings\[user-name]\Application Data\svcst.exe
- presence of registry keys pointing to the files described above: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mserv and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost
- scareware messages popping up on the screen
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This is a malware that has only one purpose: downloading fake-AV applications on the victims computer. When executed, it will perform the following actions:
- unpack its main body, which resides inside the .data section
- see if Antivirus PRO 2010 is already residing on the machine, by checking the key HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010
- make copies of itself inside Documents and Settings\[user-name]\Application Data
, as seres.exe
- add 2 startup registry-keys (inside HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
, pointing to seres.exe and svcst.exe
- execute svcst.exe
The new process will perform the following:
- create a new instance of the malware, by running seres.exe
These 2 newly-created processes will make sure that they are running constantly on the attacked computer, therefore, if one of them is terminated, the other process will re-launch it into execution. The infamous little red cross icon will appear in the systray, and fake-alert notification-messages will be displayed from a separate thread running inside the malware: "Your computer is infected!", "Windows has detected spyware infection!", "It is recommended to use special antispyware tools to pervent data loss.Windows will now download and install the most up-to-date antispyware for you.", "Click here to protect your computer from spyware!".
Obviously, the downloaded "antispyware" software is nothing but Antivirus Pro 2010
, a fake security application, which can be downloaded from various sources, inside Documents and Settings\[user-name]\Application Data\lizkavd.exe
or inside %windir%\Application Data\lizkavd.exe
Behind any of these links lie the same executable file (currently detected as Trojan.FakeAV.UO), which will be installed on the affected computer after being downloaded.
Note: [user-name] represents the actual user-name of the logged-on user.