| Description:
|
Details
Trojan.Win32.AnnoyingSaver
This text was written by Alexey Podrezov, F-Secure Corp.
This Trojan horse installs a screensaver and doesn't allow it to be removed. This is quite annoying, and the screensaver should be detected as a Trojan.
Upon being run, it will unpack several files and run the BAT installer. The BAT file copies the WAV file to the Temp directory and plays it with Media Player. At the same time, the HOT.EXE file is run. This file copies the screensaver DIVJA.SCR, ACTIVE.EXE, ACTIVE.LNK, ANIGIF.OCX and MSVBVM60.DLL to WindowsSystem folder, registers DIVJA.SCR as a default screensaver (in SYSTEM.INI) and adds an execution of ACTIVE.LNK to the Windows Registry so it will run each time. The files are also backed up as MNZ?.DLL.
Even if you remove the screensaver from the Control Panel, upon next system reboot, the LNK file will start an ACTIVE.EXE file and the screensaver will be active again. |
