SpyLax

Updated:
February 13, 2007 11:52:00 AM
Type:
Misleading Application
Risk Impact:
Low
Systems Affected:
Windows

When the program is executed, it performs the following actions:
  1. Creates the following files:

    • %UserProfile%\Desktop\SpyLax v2.0.lnk
    • %UserProfile%\Local Settings\Temp\~[SIX RANDOM CHARACTERS].tmp
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Spy Lax v2.0\Remove Spy Lax v2.0.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Spy Lax v2.0\SpyLax v2.0.lnk
    • %ProgramFiles%\SpyLax\Alert.WAV
    • %ProgramFiles%\SpyLax\BlockedCookies.txt
    • %ProgramFiles%\SpyLax\ImmunizeDatabase
    • %ProgramFiles%\SpyLax\RegistrySpylist
    • %ProgramFiles%\SpyLax\rmcomtb.dat
    • %ProgramFiles%\SpyLax\rmcomtb.exe
    • %ProgramFiles%\SpyLax\SpyKiller log10-1-07154648.txt
    • %ProgramFiles%\SpyLax\SpyLax.exe
    • %ProgramFiles%\SpyLax\spyList
    • %ProgramFiles%\SpyLax\uninstal.log
    • %System%\MSCOMCT2.OCX
    • %System%\Richtx32.ocx
    • %System%\TABCTL32.OCX
    • %Windir%\unvise32.exe

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spy Lax v2.0
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Spy Lax v2.0
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SD-APP-NAME-v2.0
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SpyLax


  3. Adds the value:

    "SpyLax" = "C:\PROGRA~1\SpyLax\SpyLax.exe"

    to the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it executes whenever Windows starts.

  4. May give exaggerated reports of threats on the computer.

  5. Prompts the user to purchase a registered version of the software in order to remove the falsely reported threats.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube