I just did a virus scan and located the Trojan Druogna and found the following information which matches my problem:
Virus Profile: Druogna
Risk Assessment - Home Users:
Low - Corporate Users:
LowDate Discovered:4/25/2005Date Added:4/25/2005Origin:UnknownLength:37876, 97032Type:TrojanSubType:Win32DAT Required:4476
Virus Characteristics
Detection was added to cover for a 32 bit PE file originally called "
bsw.exe " , having a filesize of 37.876 bytes. The file is internally compressed with the cryptx and upx packers.
Upon execution it failed to work properly in our test environment.
It is supposed to drop a bitmap file in the root of the harddisk,
c:\wp.bmp . This is a real bitmap file that's being used as a full background. The blue screen that's shown is a deceiving one mentioning a trojan spy smithfraud.c.
So this is not a true warning message upon a virus/trojan intercept, it's just a bitmap picture filling the complete screen with the wallpaper bitmap having the fake message painted in it.
It might also drop the file
wldr.dll , having a filesize of 87.032 bytes. This file is internally compressed with shrink and upx.
Registry changes may me made under
- ..\Software\Microsoft\Windows\CurrentVersion\Run "BlueScreen W@rning "
Indications of Infection
- Presence of the files/filesizes as mentioned above
- Fake blue screen bitmap covering the complete screen
Method of Infection
- Manual execution of the binary starts the infection, there's no exploit associated with this file.
Removal Instructions
All Users :
Use current
engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Aliases
Adware/BlueScreenWa (Panda), TR/Agent.CT (H+BEDV), Trojan.Win32.Agent.ct (Kaspersky), Win32/Druogna.F!Trojan (CA eTrust)
