1. Symantec/
  2. Security Response/
  3. VirusMelt

VirusMelt

Updated:
March 11, 2009 9:32:17 PM
Type:
Misleading Application
Infection Length:
1,880,576 bytes
Name:
Virus Melt
Version:
3.0.1.4
Publisher:
iSystems Inc.
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The misleading application must be manually installed.

It can be downloaded from the following location:
[http://]code.google.com/p/vmlt/source/browse/tr[REMOVED]

It displays the following warning of potential threats found:



The program reports false or exaggerated system security threats on the computer.



The risk reports the exaggerated security threats to be any of the following:
  • BAT.Looper
  • Packed.Win32.PolyCrypt
  • SpamTool.Win32.Delf.h
  • Trojan-IM.Win32.Faker.a
  • Trojan-PSW.BAT.Cunter
  • Trojan-PSW.VBS.Half
  • Trojan-PSW.Win32.Antigen.a
  • Trojan-PSW.Win32.Delf.d
  • Trojan-PSW.Win32.Dripper
  • Trojan-PSW.Win32.Fantast
  • Trojan-PSW.Win32.Hooker
  • Trojan-SMS.J2ME.RedBrowser.a
  • Trojan-Spy.HTML.Bankfraud.ix
  • Trojan-Spy.HTML.Bankfraud.ra
  • Trojan-Spy.HTML.Bayfraud.hn
  • Trojan-Spy.HTML.Citifraud
  • Trojan-Spy.HTML.Paypal.hn
  • Trojan-Spy.HTML.Sunfraud.a
  • Trojan-Spy.Win32.WMPatch
  • Trojan.BAT.AnitV.a
  • Virus.BAT.Gray.705
  • Virus.BAT.IBBM.ClsV
  • Virus.Win32.Faker.a


It displays the user interface containing a system status warning to convince the user to purchase full protection:




The user is then prompted to pay for a full license of the application in order to remove the threats.





It connects to the following location and may download additional files:
[http://]updvms.cn:9666/Instruct[REMOVED]


Installation
When the program is executed, it creates the following files:
  • C:\Documents and Settings\All Users\Application Data\System Data\vd952342.bd
  • C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini
  • %UserProfile%\Start Menu\Programs\Virus Melt.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Melt.lnk


Next, the program creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Virus Melt" = "[PATH TO EXECUTABLE] /s"

It then creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler

It also creates the following registry entries:
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\"Default" = "[PATH TO EXECUTABLE]"
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\"Default" = "[EXECUTABLE FILE NAME].DocHostUIHandler"
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler\"Default" = "Implements DocHostUIHandler"
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler\Clsid\"Default" = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no"
  • HKEY_\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube