Rogue Antivirus Program
XP Antivirus 2008 is a malware program that imitates legit antivirus program by installing itself as a startup process and then place the following wallpaper to entice its victims to register their antivirus software to remove the prompts that it constantly generates.
They also install a copy of Mark Russinovich’s BSOD Screen Saver which will simulate a PC crash and restart with the following random error messages.
BOGUS_DRIVER
IRQL_NOT_LESS_OR_EQUAL
BAD_POOL_HEADER
SYSINTERNAL_GREAT_SITE
KMODE_EXECPTION_NOT_HANDLED
PAGE_FAULT_IN_NONEPAGE_AREA
UNEXPECTED_KERNAL_MODE_TRAP
PANIC_STACK_SWITCH
NO_MORE_IRP_STACK_LOCATIONS
MAXIMUM_WAIT_OBJECTS_EXCEEDED
Files that the program loads on an infected system;
in C:\Windows\system32
blphc7v6i0e5f7.exe,blphc7v6i0e5f7.scr,
phc7v6j0e5f7.exe,lphcr7pj0e3d3.exe
in C:\Windows
winlogon.exe
in C:\Documents and Settings\{your user profile}\Local Settings\temp\
.tt3.tmp.vbs
The file names may varies with their new improved versions, but the containment of this malware is relatively easy.
By deleting the .vbs files found in C:\Documents and Settings\* user profile * \Local Settings\temp\ in safe mode, the software will be crippled.
You may then run regedit to delete those entries similiar to the above in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
if there are entries of it within.
You will also need to enable “show hidden files and folders” in your Folder Options in order to see Local Settings in your local profile.
Eliminate viruses and spyware with McAfee VirusScan.