1. /
  2. Security Response/
  3. AntiSpyStorm

AntiSpyStorm

Updated:
July 30, 2007 11:07:10 AM
Type:
Potentially Unwanted App
Name:
AntiSpyStorm
Version:
1.00.0040
Publisher:
AntiSpyStorm Inc.
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows NT, Windows Server 2003, Windows XP

Behaviour

When the program is run, it displays a window that allows the user to scan the computer for security threats.



The program identifies several fake security risks as present on the computer. It then requests the user to purchase a registered version of the software to remove the reported false security risks.

This program must be manually installed.


Installation:
When the program is executed, it creates the following files:
  • C:\Documents and Settings\All Users\Desktop\AntispyStorm.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntispyStorm\AntispyStorm.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\AntispyStorm\Uninstall AntispyStorm.lnk
  • C:\Program Files\AntispyStorm\AntispyStorm.exe
  • C:\Program Files\AntispyStorm\as_ie_monitor.dll
  • C:\Program Files\AntispyStorm\clsReg.dll
  • C:\Program Files\AntispyStorm\config.dat
  • C:\Program Files\AntispyStorm\filesbase.bin
  • C:\Program Files\AntispyStorm\global_virus_table.bin
  • C:\Program Files\AntispyStorm\ignoredomainsbase.bin
  • C:\Program Files\AntispyStorm\ignorefilesbase.bin
  • C:\Program Files\AntispyStorm\ignoreregsbase.bin
  • C:\Program Files\AntispyStorm\parser.exe
  • C:\Program Files\AntispyStorm\regbase.bin
  • C:\Program Files\AntispyStorm\stat.bin
  • C:\Program Files\AntispyStorm\uninstall.exe
  • C:\Program Files\AntispyStorm\uninstall.log
  • C:\Program Files\AntispyStorm\urlbase.bin


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AntispyStorm" = "C:\Program Files\AntispyStorm\AntispyStorm.exe"

The program also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntispyStorm\"uninstallstring" = ""C:\Program Files\AntispyStorm\uninstall.exe" -u"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntispyStorm\"DisplayIcon" = "C:\Program Files\AntispyStorm\uninstall.exe,0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntispyStorm\"displayname" = "AntispyStorm 1.01.0027"
HKEY_LOCAL_MACHINE\SOFTWARE\AntispyStorm\"work directory" = "C:\Program Files\AntispyStorm\"
HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyware\"InstalledApplication" = "AntiSpyStorm"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0723CAE4-C2AB-4995-B749-6BC9BE984564}\"Default" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA201C93-F34A-47A5-B65D-AA7C95068E92}\InprocServer32\"Default" = "C:\Program Files\AntispyStorm\clsReg.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C8EBBFFA-881D-4F15-9D29-7435462E4294}\3.0\0\win32\"Default" = "C:\Program Files\AntispyStorm\clsReg.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D8478214-61AD-4C83-9D76-2BE980A51452}\1.0\0\win32\"Default" = "C:\Program Files\AntispyStorm\as_ie_monitor.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mdReg.clsReg\Clsid\"Default" = "{EA201C93-F34A-47A5-B65D-AA7C95068E92}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mdReg.clsReg\"Default" = "mdReg.clsReg"

The program then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0723CAE4-C2AB-4995-B749-6BC9BE984564}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4619EC5B-EF8F-44E9-9A74-6E7B5F1C4188}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EFBD98B0-0C01-4325-85F8-5E791AB33570}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\as_ie_monitor.ie_monitor
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver