1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Rogue:W32/SystemTool

Rogue:W32/SystemTool

Name : Rogue:W32/SystemTool
Detection Names : Gen.Variant.Kazy
Category:Malware
Type:Rogue
Platform:W32

Summary

This detection identifies a malicious rogueware program, typically used to deceive users into purchasing a fake application.

Disinfection

Manual Disinfection

- Boot into safe mode.
- Locate and delete the files below:
  • %appdata%\[random]\[random].exe
  • %appdata%\[random]\[random]
- Reboot and run "Full System Scan" with F-Secure Antivirus to make sure the system is clean.

For more general information on disinfection, please see Removal Instructions.

Additional Details

This malware may also be detected by generic detections using the following naming format:
  • gen.variant.kazy.[####]
Where [####] can be any number.


Activity

On execution, the malware hijacks the desktop and displays the wallpaper below:



It then displays a fake scanner program (System Tool) that displays bogus virus/trojan/spyware detections.



These actions are done to frighten the user into buying the fake application.

The malware also prevents execution of any other application. This disables applications like command prompt, regedit, Task Manager (including the keyboard shortcut Ctrl+Alt+Del), etc.



Installation

During installation, the malware adds the following files:
  • %appdata%\[random]\[random].exe - (malware executable)
  • %appdata%\[random]\[random] - (Data file)


Registry Changes

Launchpoint registry :
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    [random] = %appdata%\[random]\[random].exe