Follow:

 

Trojan:Win32/Serubsit.A


Trojan:Win32/Serubsit.A is a trojan that locks the affected user's computer and attempts to scare and intimidate the user into calling a premium phone number.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Serubsit.A is a trojan that locks the affected user's computer and attempts to scare and intimidate the user into calling a premium phone number.

Installation

Trojan:Win32/Serubsit.A may be installed with one of the following file names:

  • Install_Flash-Player.exe
  • Dc17.exe
  • WindowsWebSecurity.exe
  • Internet-Explorer_update.exe
  • 4F.tmp
  • Chrome_update.exe
  • Keygen-AUTODESK_AUTOCAD_MAP_3D_2011_x32_x64.exe
Payload

Displays messages

Once infected, the trojan delays for a certain period before executing this payload. After this delay, Trojan:Win32/Serubsit.A displays messages which are designed to trick the user into calling a premium phone number.

The malware requires an activation code, which according to the message, can be obtained by phone, to resume normal access to the machine.

Below are some examples of the messages that the trojan displays, where it attempts to trick the user about Windows activation:

Below are some examples of the messages that the trojan displays, where it attempts to intimidate the affected user into calling a premium number to retrieve an activation key:

Analysis by Ray Roberts


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    Install_Flash-Player.exe
    Dc17.exe
    WindowsWebSecurity.exe
    Internet-Explorer_update.exe
    4F.tmp
    Chrome_update.exe
    Keygen-AUTODESK_AUTOCAD_MAP_3D_2011_x32_x64.exe
  • The display of the following messages:








Prevention


Alert level: Severe
First detected by definition: 1.99.1343.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 16, 2011
This entry was first published on: Mar 16, 2011
This entry was updated on: May 03, 2011

This threat is also detected as:
No known aliases