1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpywareSweeper Activity

HTTP SpywareSweeper Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application MyCleanerPC.

Additional Information

SpywareSweeper is a misleading application that may give exaggerated reports about potential risks on the computer.

When the program is executed, it creates the following files:

* %Windir%\unvise32.exe
* %UserProfile%\Desktop\Spyware Sweeper.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Sweeper\Remove Spyware Sweeper.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Sweeper\Spyware Sweeper.lnk
* %ProgramFiles%\Spyware Sweeper\42387.dll
* %ProgramFiles%\Spyware Sweeper\cintpf.tlb
* %ProgramFiles%\Spyware Sweeper\icon.jpg
* %ProgramFiles%\Spyware Sweeper\ipgar.dll
* %ProgramFiles%\Spyware Sweeper\retav.ocx
* %ProgramFiles%\Spyware Sweeper\s7me.ocx
* %ProgramFiles%\Spyware Sweeper\scanning.gif
* %ProgramFiles%\Spyware Sweeper\spupac.ocx
* %ProgramFiles%\Spyware Sweeper\uninstal.log
* %ProgramFiles%\Spyware Sweeper\LiveUpdate.exe
* %ProgramFiles%\Spyware Sweeper\spywaresweeper.exe
* %ProgramFiles%\Spyware Sweeper\SsPcFirewall.exe



Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Spyware Sweeper" = "C:\Program Files\Spyware Sweeper\SpywareSweeper.exe"

It also modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\unvise32.exe" = "1"

The program also creates the following registry subkeys:

* HKEY_ALL_USERS\Software\VB and VBA Program Settings\Spyware Sweeper
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Sweeper

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube