1. Symantec/
  2. Security Response/
  3. PyroAntiSpy

PyroAntiSpy

Updated:
August 1, 2008 2:25:04 PM
Type:
Misleading Application
Name:
PyroAntiSpy
Version:
2.2.0.0
Publisher:
PyroAntiSpy.com
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following folder:
%ProgramFiles%\PyroAntiSpy\Logs

It also creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PyroAntiSpy 2.2.lnk
  • %UserProfile%\Desktop\PyroAntiSpy.lnk
  • %UserProfile%\Local Settings\Temp\[Random Name].TMP
  • %UserProfile%\Start Menu\Programs\PyroAntiSpy\PyroAntiSpy 2.2 Website.lnk
  • %UserProfile%\Start Menu\Programs\PyroAntiSpy\PyroAntiSpy 2.2.lnk
  • %UserProfile%\Start Menu\Programs\PyroAntiSpy\Uninstall PyroAntiSpy 2.2.lnk
  • %UserProfile%\Start Menu\PyroAntiSpy 2.2.lnk
  • %ProgramFiles%\PyroAntiSpy\blacklist.txt
  • %ProgramFiles%\PyroAntiSpy\Lang\English.ini
  • %ProgramFiles%\PyroAntiSpy\msvcp71.dll
  • %ProgramFiles%\PyroAntiSpy\msvcr71.dll
  • %ProgramFiles%\PyroAntiSpy\PyroAntiSpy.exe
  • %ProgramFiles%\PyroAntiSpy\PyroAntiSpy.url
  • %ProgramFiles%\PyroAntiSpy\ref.dat
  • %ProgramFiles%\PyroAntiSpy\uninst.exe


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PyroAntiSpy" = "C:\Program Files\PyroAntiSpy\PyroAntiSpy.exe /h"

It also creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\CLSID\{1696AFC0-5194-4380-4EAD-1ABA5BCE1B57}
  • HKEY_CLASSES_ROOT\Interface\{0EF1C54E-C3B6-4BD4-BC03-B8C307A018E5}
  • HKEY_CLASSES_ROOT\Interface\{14B17A8E-B176-47A0-B6BC-4E1BA8228BD0}
  • HKEY_CLASSES_ROOT\Interface\{31115F60-D58E-42AF-89F0-E524A55427BA}
  • HKEY_CLASSES_ROOT\Interface\{38F560FD-646A-44B0-AD5E-3069D8ADC851}
  • HKEY_CLASSES_ROOT\Interface\{50229B5C-ED47-49EC-8959-F66758830C5C}
  • HKEY_CLASSES_ROOT\Interface\{5F0E78FA-C76B-49FB-88FC-61A7306C2FE1}
  • HKEY_CLASSES_ROOT\Interface\{6667E268-6334-4204-97DF-85F1D27D7CC9}
  • HKEY_CLASSES_ROOT\Interface\{6D1595CE-B92A-47C5-9CC3-AE11E5A9AAFA}
  • HKEY_CLASSES_ROOT\Interface\{844EC9CE-24A3-491A-A660-B8B7DF4766BA}
  • HKEY_CLASSES_ROOT\Interface\{A363B82A-1069-41EC-B185-188B59F504E6}
  • HKEY_CLASSES_ROOT\Interface\{BC760874-E3AC-4D05-969B-8FC28EB85252}
  • HKEY_CLASSES_ROOT\Interface\{C2194F32-D124-4956-8060-AE4696A78911}
  • HKEY_CLASSES_ROOT\Interface\{C783B30B-54CB-4745-AC2A-D41A4948C975}
  • HKEY_CLASSES_ROOT\Interface\{EE22CCD9-5D92-459B-B955-4115E6A1D0D7}
  • HKEY_CLASSES_ROOT\Interface\{F813DA8B-A263-450E-96AC-DB4BA5D55605}
  • HKEY_CLASSES_ROOT\Interface\{FF753266-C9EF-490C-85D0-A1A4C24FE8D2}
  • HKEY_CLASSES_ROOT\TypeLib\{12FCEB01-1FB2-486C-BBCB-7479300468F1}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PyroAntiSpy.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PyroAntiSpy
  • HKEY_LOCAL_MACHINE\SOFTWARE\PyroAntiSpy


Similar Security Risks

AntiVirGear


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube