Unvirex

Updated:
June 2, 2009 10:45:44 AM
Type:
Misleading Application
Infection Length:
13,029,376 bytes
Name:
Unvirex
Version:
1.0.0.1
Publisher:
www.univirex.com
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Behavior
The program can be downloaded and manually installed.

The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\UnVirex.lnk
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\ext.dll
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\System.dll
  • C:\Documents and Settings\All Users\Desktop\UnVirex.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\How to Register UnVirex.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\Register UnVirex.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex\UnVirex.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\UnVirex.lnk
  • %ProgramFiles%\UnVirex\daily.cvd
  • %ProgramFiles%\UnVirex\Drvfltip.sys
  • %ProgramFiles%\UnVirex\hjengine.dll
  • %ProgramFiles%\UnVirex\IEAddon.dll
  • %ProgramFiles%\UnVirex\main.cvd
  • %ProgramFiles%\UnVirex\MFC71.dll
  • %ProgramFiles%\UnVirex\MFC71ENU.DLL
  • %ProgramFiles%\UnVirex\msvcp71.dll
  • %ProgramFiles%\UnVirex\msvcr71.dll
  • %ProgramFiles%\UnVirex\pthreadVC2.dll
  • %ProgramFiles%\UnVirex\siglsp.dll
  • %ProgramFiles%\UnVirex\uninstall.exe
  • %ProgramFiles%\UnVirex\UnVirex.exe


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"UnVirex" = "C:\Program Files\UnVirex\UnVirex.exe"

It then creates the following registry entries, which modify the LSP stack:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\00000001\"PackedCatalogItem" = "%ProgramFiles%\UnVirex\siglsp.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000013\"PackedCatalogItem" = "%ProgramFiles%\UnVirex\siglsp.dll"


The program also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\"UnVirex" = "UnVirex"

It also creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\AppID\IEAddon.DLL
  • HKEY_CLASSES_ROOT\AppID\{C0E56AC2-9F72-436E-B6E7-AEC28AF9E4EB}
  • HKEY_CLASSES_ROOT\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
  • HKEY_CLASSES_ROOT\IEAddon.StatusBarPane.1 HKEY_CLASSES_ROOT\IEAddon.StatusBarPane
  • HKEY_CLASSES_ROOT\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}
  • HKEY_CLASSES_ROOT\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnVirex
  • HKEY_LOCAL_MACHINE\SOFTWARE\UnVirex
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DrvFltIp
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver