- presence of the file:
C:\Documents and Settings\[user name]\Local Settings\Application Data\[random-dir-name]\[random-file-name].exe
- presence of the following registry keys:
both pointing to the file described above.
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This trojan tricks the unaware user into thinking that it is a security program; it will trick the user to pay money on it in exchange for cleaning the computer with unexistent viruses.
When executed, the malware will create a copy inside C:\Documents and Settings\[user name]\Local Settings\Application Data\[random-dir-name]\[random-file-name].exe. The execution will continue from that new location (the original process will terminate). From the new location, new registry values will be added in order to assure that it will be ran during every reboot: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random-name] and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random-name]
that will point to its copy inside Application Data directory. The malware will de-activate several (clean) programs installed on the affected machine; The AppInit_DLLs registry value will be deleted, among with registry values pointing to several other programs (clean or not).
Popups alerting the user that he is infected will be displayed, telling that his computer will be disinfected only if he upgrades to the "full version" of the "antivirus" software.