Summary
This detection identifies a malicious rogueware program, typically used to deceive users into purchasing a fake application.
Disinfection & Removal
Manual Disinfection
- - Boot into safe mode.
- - Locate and delete the files below:
- %appdata%\[random]\[random].exe
- %appdata%\[random]\[random]
- Reboot and run "Full System Scan" with F-Secure Antivirus to make sure the system is clean. For more general information on disinfection, please see Removal Instructions.
Technical Details
This malware may also be detected by generic detections using the following naming format:
- gen.variant.kazy.[####]
Where [####] can be any number.
Activity
On execution, the malware hijacks the desktop and displays the wallpaper below:
It then displays a fake scanner program (System Tool) that displays bogus virus/trojan/spyware detections.
These actions are done to frighten the user into buying the fake application.
The malware also prevents execution of any other application. This disables applications like command prompt, regedit, Task Manager (including the keyboard shortcut Ctrl+Alt+Del), etc.
Installation
During installation, the malware adds the following files:
- %appdata%\[random]\[random].exe - (malware executable)
- %appdata%\[random]\[random] - (Data file)
Registry Changes
Launchpoint registry :
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce [random] = %appdata%\[random]\[random].exe
Submit a sample
Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)
F-Secure Community
Give advice. Get advice. Share the knowledge on our free discussion forum.