1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Virusblast Activity

HTTP Virusblast Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application VirusBlast.

Additional Information

When VirusBlast is executed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusBlast v5.0.lnk
* %UserProfile%\Desktop\VirusBlast v5.0.lnk
* %UserProfile%\Start Menu\VirusBlast v5.0.lnk
* %UserProfile%\Start Menu\Programs\VirusBlast\VirusBlast v5.0 Un-Installer.lnk
* %UserProfile%\Start Menu\Programs\VirusBlast\VirusBlast v5.0 Website.lnk
* %UserProfile%\Start Menu\Programs\VirusBlast\VirusBlast v5.0.lnk
* %ProgramFiles%\VirusBlast
* %ProgramFiles%\activex.db
* %ProgramFiles%\blacklist.db
* %ProgramFiles%\BlastIEmonitor.dll
* %ProgramFiles%\config.ini
* %ProgramFiles%\cookies.db
* %ProgramFiles%\DbgHelp.Dll
* %ProgramFiles%\filesNames.db
* %ProgramFiles%\hosts.db
* %ProgramFiles%\knownLocations.db
* %ProgramFiles%\md5.db
* %ProgramFiles%\msvcp71.dll
* %ProgramFiles%\msvcr71.dll
* %ProgramFiles%\registry.db
* %ProgramFiles%\sdebug.log
* %ProgramFiles%\spywareinfo.db
* %ProgramFiles%\tips.txt
* %ProgramFiles%\uninst.exe
* %ProgramFiles%\virusblast.chm
* %ProgramFiles%\VirusBlast.exe
* %ProgramFiles%\VirusBlast.url
* %ProgramFiles%\Plugins\DesktopManager\DesktopManager.dll
* %ProgramFiles%\Plugins\DesktopManager\Languages\[LANGUAGE FILES]
* %ProgramFiles%\Plugins\MessengerControl\MessengerControl.dll
* %ProgramFiles%\Plugins\MessengerControl\Languages\[LANGUAGE FILES]
* %ProgramFiles%\Plugins\StartupEditor\StartupEditor.dll
* %ProgramFiles%\Plugins\StartupEditor\Languages\[LANGUAGE FILES]
* %ProgramFiles%\Languages\[LANGUAGE FILES]
* %ProgramFiles%\Logs\[LOG FILES]
* %ProgramFiles%\Quarantine\[QUARANTINE FILES]

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ad-protect.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\IEControl.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{490E7D57-1FC1-4ea6-BD52-483B7271B223}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F6FE2C2-6040-4645-9053-7F689AFFE176}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6B4AB50-F423-4EE6-9839-B35DCFCDFA49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1131081D-81ED-46F0-8B03-B728AEAFFD12}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E6B4AB50-F423-4EE6-9839-B35DCFCDFA49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{283ED043-D403-4808-BF28-FCDE29DCF1FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEControl.IEExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEControl.IEExtension.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VB.Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VB.Server.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VirusBlast.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1F6FE2C2-6040-4645-9053-7F689AFFE176}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusBlast
HKEY_LOCAL_MACHINE\SOFTWARE\VirusBlast
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F6FE2C2-6040-4645-9053-7F689AFFE176}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\VirusBlast
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

3. Adds the value:

"VirusBlast" = "C:\Program Files\VirusBlast\VirusBlast.exe /s"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the threat starts when Windows starts.

4. Displays a misleading message after running a scan, stating that the computer is infected with malicious spyware, even if no spyware was detected.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube