Posted by on Aug 17, 2008 in General | 0 comments

I got a call last week from a firm I had been in contact with, but had not done any work.

One of the principals had gotten a viral infection: Antivirus XP 2008. I assisted with the removal of it, but got a call about 15 minutes after I left that the “Blue Screen” was still there.

When I got back on site, I saw what appeared to be a Blue Screen of Death (BSOD), followed by a partial reboot, followed by a BSOD, followed by a partial reboot…rinse and repeat. I started to hyperventilate (figuring I would be there all night), when the user pointed out that he could just press CTRL-ALT-DEL and the Task Manager would pop up.

After a little research, I discovered that this is just a very diabolical screen saver. And, to make things more complicated, registry entries are put in to keep you from turning it off.

From Symantec’s website, here is how you manually remove the Trojan.BluSOD:

Note: Be sure to backup the registry before working on it!

Navigate to and delete the following registry entries:

HKEY_CURRENT_USERSoftwareSysinternalsBluescreen Screen Saver"EULAAccepted" = "1"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"lph[RANDOM CHARACTERS]" = "%System%lph[RANDOM CHARACTERS].exe"

Restore the following registry entries to their previous values, if required:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSoftware Notifier"InstallationID" = "[RANDOM CLSID]"
HKEY_CURRENT_USERControl PanelDesktop"ConvertedWallpaper" = "%System%ph[RANDOM CHARACTERS].bmp"
HKEY_CURRENT_USERControl PanelDesktop"SCRNSAVE.EXE" = "%System%blph[RANDOM CHARACTERS].scr"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"NoDispBackgroundPage" = "0"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"NoDispScrSavPage" = "0"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore"DisableSR" = "0"
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessr"Start" = "0"
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessr"ImagePath" = "*system32DRIVERSsr.sys*"
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessrParameters"FirstRun" = "0"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessr"Start" = "0"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessr"ImagePath" = "*system32DRIVERSsr.sys*"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessrParameters"FirstRun" = "0"
HKEY_CURRENT_USERControl PanelColors"Background" = "0 0 255"
HKEY_CURRENT_USERControl PanelDesktop"ScreenSaveActive" = "1"
HKEY_CURRENT_USERControl PanelDesktop"TileWallpaper" = "0"

Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.

Thanks, Google and Peter Norton!

Technorati Tags:
, , ,