1. /
  2. Security Response/
  3. WinAntiSpyware

WinAntiSpyware

Updated:
February 13, 2007 11:48:42 AM
Type:
Misleading Application
Version:
3.0.28.4
Publisher:
WinAntiSpyware
Risk Impact:
Medium
File Names:
uwas6chk.dll uwasffNT.exe was6.exe WAS6.url uwasfsd.sys wasfsd.sys ApiMon.sys was6chk.dll
Systems Affected:
Windows 2000, Windows 98, Windows NT, Windows XP

When WinAntiSpyware is executed, it performs the following actions:
  1. Creates the following files:

    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner
      \Contact customer support.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner
      \Uninstall WinAntiSpyware 2006 Scanner.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner
      \WinAntiSpyware 2006 Scanner on the Web.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner
      \WinAntiSpyware 2006 Scanner Online Manual.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner
      \WinAntiSpyware 2006 Scanner.lnk
    • %UserProfile%\application data\microsoft\internet explorer\quick launch\WinAntispyware 2006.lnk
    • %UserProfile%\Desktop\WinAntiSpyware 2006 Scanner.lnk
    • %UserProfile%\Local Settings\Temp\WinAntiSpyware2006Setup.exe
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\Activate.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\AsAgents.dll
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\bnlink.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\appupdate.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\AutoProcess.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\dbupdate.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\enemies.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\knownfiles.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\monstate.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\PortSpec.ats
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\quaratine.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\RTMonitor.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\Summary.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\tasks.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\database\TEBase.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\InstHelp.exe
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\lapv.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\license.rtf
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\manual.url
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\pv.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\shellext.dll
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\sr.log
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\support.url
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\unins000.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\unins000.exe
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\updater.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\Updater.exe
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\uwas6chk.dll
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\uwasffNT.exe
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\vbpv.dat
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\was6.exe
    • %ProgramFiles%\WinAntiSpyware 2006 Scanner\WAS6.url
    • %CommonProgramFiles%\WinAntiSpyware 2006\was6chk.dll
    • %ProgramFiles%\WinAntiSpyware 2006\Activate.dat
    • %ProgramFiles%\WinAntiSpyware 2006\AsAgents.dll
    • %ProgramFiles%\WinAntiSpyware 2006\AsAgents.xml
    • %ProgramFiles%\WinAntiSpyware 2006\database\enemies.dat
    • %ProgramFiles%\WinAntiSpyware 2006\database\knownfiles.dat
    • %ProgramFiles%\WinAntiSpyware 2006\database\TEBase.dat
    • %ProgramFiles%\WinAntiSpyware 2006\InstHelp.exe
    • %ProgramFiles%\WinAntiSpyware 2006\lapv.dat
    • %ProgramFiles%\WinAntiSpyware 2006\license.rtf
    • %ProgramFiles%\WinAntiSpyware 2006\manual.pdf
    • %ProgramFiles%\WinAntiSpyware 2006\ps.dat
    • %ProgramFiles%\WinAntiSpyware 2006\pv.dat
    • %ProgramFiles%\WinAntiSpyware 2006\shellext.xml
    • %ProgramFiles%\WinAntiSpyware 2006\shellext.dll
    • %ProgramFiles%\WinAntiSpyware 2006\support.exe
    • %ProgramFiles%\WinAntiSpyware 2006\threatnet.ini
    • %ProgramFiles%\WinAntiSpyware 2006\unins000.dat
    • %ProgramFiles%\WinAntiSpyware 2006\unins000.exe
    • %ProgramFiles%\WinAntiSpyware 2006\UnWizard.exe
    • %ProgramFiles%\WinAntiSpyware 2006\unwizard.xml
    • %ProgramFiles%\WinAntiSpyware 2006\updater.dat
    • %ProgramFiles%\WinAntiSpyware 2006\vbpv.dat
    • %ProgramFiles%\WinAntiSpyware 2006\was6.exe
    • %ProgramFiles%\WinAntiSpyware 2006\WAS6.url
    • %ProgramFiles%\WinAntiSpyware 2006\WAS6.xml
    • %ProgramFiles%\WinAntiSpyware 2006\wasffNT.exe
    • %System%\drivers\uwasfsd.sys
    • %System%\drivers\ApiMon.sys
    • %System%\drivers\wasfsd.sys
    • %System%\stera.exe
    • %System%\atl71.dll
    • %System%\mfc71.dll
    • %Windir%\is-[RANDOM].exe
    • %Windir%\is-[RANDOM].lst
    • %Windir%\is-[RANDOM].msg
    • C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer
      \Quick Launch\WinAntiSpyware 2006.lnk
    • C:\Documents and Settings\Administrator\Desktop\WinAntiSpyware 2006.lnk
    • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
      \Media Player\wmpfolders.wmdb
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\Feedback on Support Quality.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\Report Software Defect.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\Request for Instructions.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\Share Your Suggestions.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\Uninstall WinAntiSpyware 2006.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\WinAntiSpyware 2006 Manual.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\WinAntiSpyware 2006 on the Web.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006\WinAntiSpyware 2006.lnk


      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ExplorerUWAS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D7DE254-2FBD-4C09-9077-3DC4A2DEBE9D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{_CLSID_WAShellExecuteCheck}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers
    \ExplorerUWAS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ExplorerUWAS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UWAS6.UWAS6
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwasfsd.CreationNotifier
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwasfsd.CreationNotifier.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.ShellHook
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.ShellHook.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.WASContextMenu
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.WASContextMenu.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    \WinAntiSpyware 2006 Scanner_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2006 Scanner
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uwasfsd
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uwasfsd
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
    \ICQ
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
    \ICQ\Agent
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
    \ICQ\Agent\Apps
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\WinAntiSpyware 2006 Scanner
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\WinAntiSpyware 2006 Scanner\Settings

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    \{ABCD4567-4D73-43E9-85E5-53A2DBD95422}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    \{ABCD4567-7437-43EF-AB74-4AB1D3A37422}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wasfsd.CreationNotifier
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wasfsd.CreationNotifier.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAS_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2006
    HKEY_ALL_USERS\Software\WinAntiSpyware 2006
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wasfsd
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\*\shellex\ContextMenuHandlers\ExplorerWAS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ExplorerWAS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers
    \ExplorerWAS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UWAS6.UWAS6
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\washellext.WASContextMenu
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\washellext.WASContextMenu.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WASPChk.WASPChk
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYSTEM\ControlSet003\Services\wasfsd


  3. Adds the value:

    "WinAntiSpyware 2006 Scanner" = "C:\Program Files\WinAntiSpyware 2006 Scanner\was6.exe"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    so that the risk runs every time Windows starts.

  4. Displays alert messages when changes are made on the compromised computer. The activity in question is halted until the user clicks Allow or five seconds have passed.

    The types of activities that the risk blocks include the following:

    • Changes to the browser's home page
    • Installation of software


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver