1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Winreanimator Activity

HTTP Winreanimator Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application Winreanimator.

Additional Information

WinReanimator is a misleading application that may give exaggerated reports of threats on the computer.

The program must be manually installed. The program reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Installation
When the program is executed, it creates the following files:

* %UserProfile%\Local Settings\Temp\Binaries1.zip
* %UserProfile%\Local Settings\Temp\Binaries2.zip
* %UserProfile%\Local Settings\Temp\Binaries3.zip
* C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk
* C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk
* %ProgramFiles%\WinReanimator\data\daily.cvd
* %ProgramFiles%\WinReanimator\htmlayout.dll
* %ProgramFiles%\WinReanimator\install.exe
* %ProgramFiles%\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
* %ProgramFiles%\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll
* %ProgramFiles%\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll
* %ProgramFiles%\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll
* %ProgramFiles%\WinReanimator\pthreadVC2.dll
* %ProgramFiles%\WinReanimator\un.ico
* %ProgramFiles%\WinReanimator\unzip32.dll
* %ProgramFiles%\WinReanimator\WinReanimator.cfg
* %ProgramFiles%\WinReanimator\WinReanimator.dll
* %ProgramFiles%\WinReanimator\WinReanimator.exe



The program may then drop the following files:

* %UserProfile%\Application Data\[RANDOM FILE NAME]._dl
* %UserProfile%\Application Data\[RANDOM FILE NAME].reg
* %UserProfile%\Local Settings\Application Data\[RANDOM FILE NAME].dat
* %UserProfile%\Local Settings\Application Data\[RANDOM FILE NAME].bat
* C:\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME ONE].bat
* C:\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME TWO].bat
* C:\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME].scr
* C:\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME].lib
* C:\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME].exe
* C:\Documents and Settings\All Users\Documents\[RANDOM FILE NAME]._sy
* C:\Documents and Settings\All Users\Documents\[RANDOM FILE NAME].dl
* C:\Documents and Settings\All Users\Documents\[RANDOM FILE NAME ONE].ban
* C:\Documents and Settings\All Users\Documents\[RANDOM FILE NAME TWO].ban
* C:\Documents and Settings\All Users\Documents\[RANDOM FILE NAME].exe
* %CommonProgramFiles%\[RANDOM FILE NAME].dat
* %CommonProgramFiles%\[RANDOM FILE NAME].ban
* %System%\[RANDOM FILE NAME].scr
* %System%\[RANDOM FILE NAME].pif
* %System%\[RANDOM FILE NAME].ban
* %System%\[RANDOM FILE NAME].exe
* %System%\[RANDOM FILE NAME ONE].vbs
* %System%\[RANDOM FILE NAME TWO].vbs
* %Windir%\[RANDOM FILE NAME].sys
* %Windir%\[RANDOM FILE NAME ONE].scr
* %Windir%\[RANDOM FILE NAME TWO].scr
* %Windir%\[RANDOM FILE NAME ONE].inf
* %Windir%\[RANDOM FILE NAME TWO].inf
* %Windir%\[RANDOM FILE NAME ONE].dll
* %Windir%\[RANDOM FILE NAME TWO].dll
* %Windir%\[RANDOM FILE NAME THREE].dll
* %Windir%\[RANDOM FILE NAME]._sy
* %Windir%\[RANDOM FILE NAME ONE].pif
* %Windir%\[RANDOM FILE NAME TWO].pif
* %Windir%\[RANDOM FILE NAME].dat
* %Windir%\[RANDOM FILE NAME]._dl
* %Windir%\[RANDOM FILE NAME].vbs



The program falsely detects the above files as threats present on the computer.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinReanimator" = "C:\Program Files\WinReanimator\WinReanimator.exe"

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\WinReanimator

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube