1. Symantec/
  2. Security Response/
  3. SpyDevastator

SpyDevastator

Updated:
September 9, 2008 1:32:46 PM
Type:
Misleading Application
Name:
SpyDevastator
Version:
1.0.0.0
Publisher:
SpyDevastator.com
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.








The user is then prompted to pay for a full license of the application in order to remove the threats.








Installation
When the program is executed, it creates the following folders:
  • C:\Documents and Settings\[CURRENT USER]\My Documents\SpyDevastator\Logs
  • %UserProfile%\Start Menu\Programs\SpyDevastator


It also creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyDevastator 1.32.lnk
  • %UserProfile%\Desktop\SpyDevastator.lnk
  • %UserProfile%\Local Settings\Temp\[RANDOM NAME].TMP
  • %UserProfile%\Local Settings\Temp\SDevLanguage.ini
  • C:\Documents and Settings\[CURRENT USER]\My Documents\SpyDevastator\SDBHO.dll
  • C:\Documents and Settings\[CURRENT USER]\My Documents\SpyDevastator\sdcfg.dat
  • %UserProfile%\Start Menu\Programs\SpyDevastator\SpyDevastator 1.32.lnk
  • %UserProfile%\Start Menu\Programs\SpyDevastator\SpyDevastator Website.lnk
  • %UserProfile%\Start Menu\SpyDevastator 1.32.lnk
  • %ProgramFiles%\SpyDevastator\blacklist.txt
  • %ProgramFiles%\SpyDevastator\Lang\English.ini
  • %ProgramFiles%\SpyDevastator\msvcp71.dll
  • %ProgramFiles%\SpyDevastator\msvcr71.dll
  • %ProgramFiles%\SpyDevastator\sdev.sgn
  • %ProgramFiles%\SpyDevastator\sdev.sgn.prv
  • %ProgramFiles%\SpyDevastator\SpyDevastator.exe
  • %ProgramFiles%\SpyDevastator\SpyDevastator.url
  • %ProgramFiles%\SpyDevastator\uninst.exe


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\"SpyDevastator" = "C:\Program Files\SpyDevastator\SpyDevastator.exe /h"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDevastator.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyDevastator
  • HKEY_CURRENT_USER\Software\SpyDevastator
  • HKEY_CLASSES_ROOT\CLSID\{26F094F0-D2BD-5F02-03AE-2232D5E967E0}
  • HKEY_CLASSES_ROOT\CLSID\{4A277263-267B-42dc-8514-7B69E02048B3}
  • HKEY_CLASSES_ROOT\CLSID\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
  • HKEY_CLASSES_ROOT\CLSID\{D35BF620-EF22-4062-839C-64C534B4589B}
  • HKEY_CLASSES_ROOT\COMApp.1
  • HKEY_CLASSES_ROOT\COMApp
  • HKEY_CLASSES_ROOT\IEBHO.IEBHO.1
  • HKEY_CLASSES_ROOT\IEBHO.IEBHO
  • HKEY_CLASSES_ROOT\Interface\{0B682116-47F0-4C10-AD55-6161694DD89C}
  • HKEY_CLASSES_ROOT\Interface\{0D473E55-8ADE-4CBE-9505-A9B667D7F2EA}
  • HKEY_CLASSES_ROOT\Interface\{1741D490-88B5-4F58-A652-C74580E3AA49}
  • HKEY_CLASSES_ROOT\Interface\{18E539E7-CCBD-4CBE-BDF8-ED5EFD83D73B}
  • HKEY_CLASSES_ROOT\Interface\{1F351F56-F6BD-4CF0-83D0-7DF734C1F87D}
  • HKEY_CLASSES_ROOT\Interface\{1FADDE65-F172-4389-AFD5-2767F914E570}
  • HKEY_CLASSES_ROOT\Interface\{22668F72-05FE-4948-86B0-433C2E8B9155}
  • HKEY_CLASSES_ROOT\Interface\{2790D1D2-8F0D-4C3B-B50D-B534A7FD55AC}
  • HKEY_CLASSES_ROOT\Interface\{3E46CA64-6162-4379-B753-734F0A29F341}
  • HKEY_CLASSES_ROOT\Interface\{3EEF6634-DCFC-41C7-9369-3449C0158CAB}
  • HKEY_CLASSES_ROOT\Interface\{6C2EEB7A-51DF-4F6C-95C8-E5CFD49BF902}
  • HKEY_CLASSES_ROOT\Interface\{7D50576E-8784-434C-AD31-8067AD7FB168}
  • HKEY_CLASSES_ROOT\Interface\{95930A77-3895-4979-B0B9-25FF937FB584}
  • HKEY_CLASSES_ROOT\Interface\{ABA89A1A-2910-4712-B71C-5F46A23A9343}
  • HKEY_CLASSES_ROOT\Interface\{D6B7A318-3226-46BE-A776-A2D913985E19}
  • HKEY_CLASSES_ROOT\Interface\{DBF00870-1505-4570-8F3F-D3242032A038}
  • HKEY_CLASSES_ROOT\Interface\{F80B6555-44DC-461D-AB70-B06CD50212BB}
  • HKEY_CLASSES_ROOT\SpyDevastator.COMApp.1
  • HKEY_CLASSES_ROOT\SpyDevastator.COMApp
  • HKEY_CLASSES_ROOT\TypeLib\{09935339-92A8-4055-BB35-7247F6D12D6A}
  • HKEY_CLASSES_ROOT\TypeLib\{6FC10398-DF37-4894-88D1-5CC73B66B5AE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{528A3CF7-AAF9-42FE-A5D0-2A8EDA9E299E}
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube