1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP UnSpyPC Activity

HTTP UnSpyPC Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects UnSpyPC communicating and requesting information from its controlling server.

Additional Information

When UnSpyPC is executed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\UnSpyPC\UnSpyPC.exe
* %ProgramFiles%\UnSpyPC\UnSpyPCUpdate.exe
* %ProgramFiles%\UnSpyPC\uninstall.exe
* %ProgramFiles%\UnSpyPC\uns.ico
* %ProgramFiles%\UnSpyPC\warez.dat
* %ProgramFiles%\UnSpyPC\wover.dat
* %Desktop%\UnSpyPC Scanner & Monitor.lnk

Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %Desktop% is a variable that refers to the Windows Desktop folder. By default, this is C:\Documents and Settings\Administrator\Desktop (Windows 95/98/Me) or C:\Documents and Settings\Administrator\Desktop (Windows NT/2000/XP).

2. Creates the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
{BF69DF00-4734-477F-8257-27CD04F88779}
HKEY_CURRENT_USER\Software\UnSpyPC
HKEY_LOCAL_MACHINE\Software\UnSpyPC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnSpyPC

3. Adds the values:

"UnSpyPC" = "%ProgramFiles%\UnSpyPC\UnSpyPC.exe"
"[RANDOM STRING 1]" = "[RANDOM STRING 2].exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.

The variables [RANDOM STRING 1] and [RANDOM STRING 2] represent randomly chosen strings.

4. May add random registry entries. The added entries may look similar to the following registry entries:

HKCR\CLSID\{94A0E512-EFBE-18DE-9964-820E962F7FAD}\InprocServer32\
"(Default)" = "34763.dll"

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{94A0E512-EFBE-18DE-9964-820E962F7FAD}" = "DCC_send"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"SysSupport" = "sysconf16.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"newbreed" = "backorif.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"utsgmon" = "driver64.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"MON76234" = "NopeZ.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"cmon14" = "borlandg.exe"

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube