||||
Symantec.com > Security Response > Threats and Risks > UnSpyPC
PRINT THIS PAGE

UnSpyPC

Printer Friendly Page

Updated: February 13, 2007 11:47:27 AM
Type: Misleading Application
Infection Length: 1011712;452096
Risk Impact: Medium
File Names: UnSpyPC.exe UnSpyPCUpdate.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When UnSpyPC is executed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\UnSpyPC\UnSpyPC.exe
    • %ProgramFiles%\UnSpyPC\UnSpyPCUpdate.exe
    • %ProgramFiles%\UnSpyPC\uninstall.exe
    • %ProgramFiles%\UnSpyPC\uns.ico
    • %ProgramFiles%\UnSpyPC\warez.dat
    • %ProgramFiles%\UnSpyPC\wover.dat
    • %Desktop%\UnSpyPC Scanner & Monitor.lnk

      Note:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Desktop% is a variable that refers to the Windows Desktop folder. By default, this is C:\Documents and Settings\Administrator\Desktop (Windows 95/98/Me) or C:\Documents and Settings\Administrator\Desktop (Windows NT/2000/XP).

  2. Creates the following registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    {BF69DF00-4734-477F-8257-27CD04F88779}
    HKEY_CURRENT_USER\Software\UnSpyPC
    HKEY_LOCAL_MACHINE\Software\UnSpyPC
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnSpyPC

  3. Adds the values:

    "UnSpyPC" = "%ProgramFiles%\UnSpyPC\UnSpyPC.exe"
    "[RANDOM STRING 1]" = "[RANDOM STRING 2].exe"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

    The variables [RANDOM STRING 1] and [RANDOM STRING 2] represent randomly chosen strings.

  4. May add random registry entries. The added entries may look similar to the following registry entries:

    HKCR\CLSID\{94A0E512-EFBE-18DE-9964-820E962F7FAD}\InprocServer32\
    "(Default)" = "34763.dll"
    HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
    "{94A0E512-EFBE-18DE-9964-820E962F7FAD}" = "DCC_send"
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"SysSupport" = "sysconf16.exe"
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"newbreed" = "backorif.exe"
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"utsgmon" = "driver64.exe"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"MON76234" = "NopeZ.exe"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"cmon14" = "borlandg.exe"


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS