W32/FakeAV.EB Trojan

 Virus Information - W32/FakeAV.EB Trojan:

W32/FakeAV.EB is a trojan. The trojan will infect Windows systems.

The trojan may be dropped by other malware or may be downloaded from remote website by other malware. It may also be downloaded unknowingly by a user while visiting malicious Website.

Upon execution, the trojan drops the following files:

database.dat in the %Program Files%\rhc7pgj0e3ct folder,
license.txt in the %Program Files%\rhc7pgj0e3ct folder,
MFC71.dll in the %Program Files%\rhc7pgj0e3ct folder,
MFC71ENU.DLL in the %Program Files%\rhc7pgj0e3ct folder,
msvcp71.dll in the %Program Files%\rhc7pgj0e3ct folder,
msvcr71.dll in the %Program Files%\rhc7pgj0e3ct folder,
rhc7pgj0e3ct.exe in the %Program Files%\rhc7pgj0e3ct folder,
rhc7pgj0e3ct.exe.local in the %Program Files%\rhc7pgj0e3ct folder,
Uninstall.exe in the %Program Files%\rhc7pgj0e3ct folder,
Antivirus XP 2008.lnkin the Documents and Settings\All Users\Desktop,
phc3pgj0e3ct.bmp in the Windows System folder,
pphc3pgj0e3ct.exe in the Windows System folder,
Antivirus XP 2008.lnk in the %User Profile%\Application Data\Microsoft\Internet Explorer\Quick Launch.

The trojan modifies registry at the following locations to load itself during each startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3pgj0e3ct
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMrhc7pgj0e3ct

It also modifies registry at the following locations:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc7pgj0e3ct
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
HKEY_CURRENT_USER\Control Panel\Colors\Background
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR

The trojan modifies the system wallpaper and screensaver.