I think this is a relatively new one as there is very little out there on the web.

Update: 05/06/2007 – Trojan.Kardphisher

My son had a Windows Activation screen up on his laptop. It was basically stating there was another user that had activated his OS. It requested a credit card number in order to prove that his activation was valid.

I actually almost filled it out, then saw that it was also asking for the card pin number. Now I figured it was odd that Microsoft might ask for a credit card, but realized it was a phishing scam when I saw the pin request.

What happens is this virus will disable the task manager so you cannot stop its execution, then it brings up this first screen (keep in mind, Microsoft does not request any personal information during a real activation process):

Your two options are to either activate now or activate later. When you say activate later, it reboots the machine (this is what it did for me anyway). Each time it rebooted, it brought me back to this first screen. If you say activate now, you get the next screen:

At this point in time, your average user may be tricked into providing the remaining information. But do not be tricked. THIS IS A PHISHING SCAM! I tried to use ctrl-alt-del to bring up the task manager so that I could see what was running or to kill it, but then got this screen:

While these screens were up, I was unable to open any other application. I noticed from the start bar, this application had a name of ‘97411420.exe’ which also seemed rather non-Microsoft-like. I turned off the machine, and started up in safe mode, I was pleasantly surprised to see the screens gone. I immediately searched the PC for any files created or modified within the last week. Low and behold, I found an executable file called ‘97411420.exe’. I deleted it and restarted the machine normally. All was well.

My assumption, however, is that the file name ‘97411420.exe’ will most likely be different if you run into this issue, but I am fairly certain you can use the same methodology to locate and remove the virus. I would imagine there is a more elaborate and probably better way of finding and eliminating this virus, but I went low-tech.

The next step was to re-establish use of my Task Manager. Once that was done, it was like it had not happened. Which I wish it hadn’t because it gave me pause to think how easy it must be to create such a beast.

Anyway… be careful out there!