Trojan.FakeAv.QF

SYMPTOMS:

1. A rogue antivirus program called "Total Security 2009" that runs at system startup.
2. New applications are killed with the message "Application cannot be executed. The file [File Name] is infected. Please activate your antivirus software."
3.  A process with a random 8-digit name (such as 11705314)
4. The file "c:\Documents and Settings\All Users\Application Data\[Rnd8]\[Rnd8].exe" where [Rnd8] are the 8 random digits
 at point (3)
5. A desktop shortcut and a Start menu entry are added by some variants.

TECHNICAL DESCRIPTION:

This is a generic detection for a series of Rogue AV programs called "Total Security 2009" (a play on one of Bitdefender's product names).
When first run, the malware copies itself to c:\Documents and Settings\All Users\Application Data\[Rnd8]\[Rnd8].exe and executes a batch script to delete the original file.
A registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\[Rnd8] is created to ensure that it runs at system startup.
A pseudo-scan starts and the same hardcoded detections are presented to the user, regardless of the state of the system.
The user needs to pay in order to clean the so called "infections".
.
"Total Security 2009" is quite aggressive in forcing the user to register. New processes are declared to be infected and killed instantly.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Horea Coroiu, virus researcher