Annoying pop-up windows saying that the computer is infected and requesting to register the program "Antivirus 2010"
The presence of the folder %Programs%\AntivirusPro_2010
Please let BitDefender disinfect your files.
Ovidiu Visoiu, virus researcher
This is a downloader of the Antivirus Pro 2010 fake-alert malware which get installed on the system in two steps. First it will try to download from few locations (randomly named) a file saved as "%user_documents%\Application Data\lizkavd.exe". The new executable will attempt to connect, using a name and a password, to new locations also (randomly named) and download a password protected archive. This archive actually contains the fakealert malware (Tojan.FakeAV.VH) which will be installed in the %Programs%\AntivirusPro_2010 folder.
When executed, the downloader will copy itself to:
%user_documents%\application data\seres.exe, these will be started together and will protect each other from being terminated by the user using two named mutex.
Also, the above two copies are registered at the system startup:
mserv= %user_documents%\application data\seres.exe
It will lower security settings modifying folowing registry keys:
CheckExeSignatures = no
RunInvalidSignatures = 0x1
LowRiskFileTypes = zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
After setting the aboves the malware will try to download another executable from:
checking when the download is completed by querying Program Files\AntivirusPro_2010\AntivirusPro_2010.exe