Threat Encyclopedia

JOKE_BLUESCREEN

Download the latest scan engine

TypeJoke Program

In the wild: No

Destructive: No

Language: English

Systems affected: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

Low

Information exposure:

Low
 

Description:

This grayware may be dropped by other malware. It may arrive bundled with malware packages as a malware component.

It creates a registry key as part of its installation routine.

It poses as a screensaver that displays a blue screen when executed. Upon execution, it displays the following End-User License Agreement (EULA):

JOKE_BLUESCREEN EULA

It displays the following GUI when a user clicks the Settings button on the screen saver tab of the Display Properties dialog box:

JOKE_BLUESCREEN GUI



TECHNICAL DETAILS



Initial samples received on:  Jul 16, 2008

File type: PE

Memory resident: No  

File size: 60,928 Bytes

Details:

This grayware may be dropped by TROJ_TIBS.BDT. It may arrive bundled with malware packages as a malware component.

It creates the following registry key as part of its installation routine:

HKEY_CURRENT_USER\Software\Sysinternals\BlueScreen

It poses as a screensaver that displays a blue screen when executed. Upon execution, it displays the following End-User License Agreement (EULA):

JOKE_BLUESCREEN EULA

It displays the following GUI when a user clicks the Settings button on the screen saver tab of the Display Properties dialog box:

JOKE_BLUESCREEN GUI

It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


Analysis by:  Michael Cabel



SOLUTION


Minimum scan engine version needed: 8.500

Download the latest scan engine

Spyware pattern version needed : 0.690.30

Pattern release date:  Sep 21, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: To fully remove all associated malware, perform the clean solutions for TROJ_TIBS.BDT.

Removing Other Malware Keys from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Sysinternals
  3. Still in the left panel, locate and delete the key:
    BlueScreen
  4. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as JOKE_BLUESCREEN. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Featured Stories

Connect with us on