Trojan.Win32.AnnoyingSaver

Class Trojan
Platform Win32
Description

Technical Details

This text was written by Alexey Podrezov, F-Secure Corp.

This Trojan horse installs a screensaver and doesn’t allow it to be
removed. This is quite annoying, and the screensaver should be detected as
a Trojan.

Upon being run, it will unpack several files and run the BAT installer. The BAT
file copies the WAV file to the Temp directory and plays it with Media
Player. At the same time, the HOT.EXE file is run. This file copies the
screensaver DIVJA.SCR, ACTIVE.EXE, ACTIVE.LNK, ANIGIF.OCX and MSVBVM60.DLL
to WindowsSystem folder, registers DIVJA.SCR as a default screensaver
(in SYSTEM.INI) and adds an execution of ACTIVE.LNK to the Windows Registry so it
will run each time. The files are also backed up as MNZ?.DLL.

Even if you remove the screensaver from the Control Panel, upon next system
reboot, the LNK file will start an ACTIVE.EXE file and the screensaver will be
active again.