1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Fake App Attack: WinSpy Executable Download

Fake App Attack: WinSpy Executable Download

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application WinSpy.

Additional Information

WinSpy is a misleading application that may give exaggerated reports about potential risks on the computer.

When the program is executed, it creates the following files:

* %Windir%\Installer\[RANDOM NAME].msi
* %UserProfile%\Application Data\AntiSpywareDAT\BlockedCookies.dat
* %UserProfile%\Application Data\AntiSpywareDAT\date.dat
* %UserProfile%\Application Data\AntiSpywareDAT\DirectoryDefinition.dat
* %UserProfile%\Application Data\AntiSpywareDAT\ENoSignature.dat
* %UserProfile%\Application Data\AntiSpywareDAT\ExeDefinition.dat
* %UserProfile%\Application Data\AntiSpywareDAT\FileDefinition.dat
* %UserProfile%\Application Data\AntiSpywareDAT\RegistryDefinition.dat
* %UserProfile%\Application Data\AntiSpywareDAT\Safety.dat
* %UserProfile%\Desktop\WinSpy Demo.lnk
* %UserProfile%\Start Menu\Programs\WinSpy Software\WinSpy Demo\Readme-Help.lnk
* %UserProfile%\Start Menu\Programs\WinSpy Software\WinSpy Demo\WinSpy Demo.lnk
* %UserProfile%\Start Menu\Programs\WinSpy Software\WinSpy Demo\WinSpy.com.url
* %ProgramFiles%\WinSpy Demo\WinSpyDemo.exe
* %ProgramFiles%\WinSpy Demo\help.chm
* %ProgramFiles%\WinSpy Demo\Localization.xml
* %ProgramFiles%\WinSpy Demo\riched32.dll
* %ProgramFiles%\WinSpy Demo\WinSpy.com.url
* %ProgramFiles%\WinSpy Demo\WinSpyDemo.exe


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinSpyDemo" = "C:\Program Files\WinSpy Demo\WinSpyDemo.exe"

The program also creates the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\WinSpy Demo\" = ""
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\[USERNAME]\Application Data\AntiSpywareDAT\" = ""
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\[USERNAME]\Start Menu\Programs\WinSpy Software\" = ""
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\[USERNAME]\Start Menu\Programs\WinSpy Software\WinSpy Demo" = ""
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\[USERNAME]\Application Data\Microsoft\Installer\{840B018E-1551-45D9-9157-3BE7E0E59E54}" = ""


The program also creates the following registry subkeys:

* HKEY_USERS\Software\VB and VBA Program Settings\WinSpy
* HKEY_LOCAL_MACHINE\SOFTWARE\WinSpy Software

Affected

  • Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube