Hidden Desktop shortcuts
Can’t start new processes
Presence of the registry key mentioned below
Please let BitDefender disinfect your files.
George Cabau, virus researcher
The malware perform the following actions:
When first ran, the malware creates a directory in “%systemdrive%\Documents and Settings\All Users\Application Data\”
with an 8-digit random name, where it makes a copy of itself under the same random name, (for example “C:\Documents and Settings\All Users\Application Data\67134122\67134122.exe”) and a batch file which runs the new created copy with “install” parameter and deletes the original file. After this, the batch file self-deletes.
Now the malware popup an alert telling that you intalled “Security Tool”, creates shortcuts pointing to it on desktop, start-menu and tray icon, puts itself at startup by creating a new entry in the registry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” which points at it.
After this the malware tries to trick the user that his computer is infected with different malware, and he needs to register and buy it for the cleanup. To achieve this, it will display different messages telling that it found infected files on the computer.
After a restart it hides desktop items, tries to close almost all application which the user tries to open. If the user opens some internet browsers will show firewall alert. After a few time it will try to get more seriously about this, intercepting keyboard and mouse events and displaying a screensaver with a fake “Blue-Screen” while it tries to shutdown the computer, fooling the victim that his machine is seriously infected.
In all this time it tries to send information about the infected machine to a remote server.