1. Symantec/
  2. Security Response/
  3. VirusMelt


March 11, 2009 9:32:17 PM
Misleading Application
Infection Length:
1,880,576 bytes
Virus Melt
iSystems Inc.
Risk Impact:
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
The misleading application must be manually installed.

It can be downloaded from the following location:

It displays the following warning of potential threats found:

The program reports false or exaggerated system security threats on the computer.

The risk reports the exaggerated security threats to be any of the following:
  • BAT.Looper
  • Packed.Win32.PolyCrypt
  • SpamTool.Win32.Delf.h
  • Trojan-IM.Win32.Faker.a
  • Trojan-PSW.BAT.Cunter
  • Trojan-PSW.VBS.Half
  • Trojan-PSW.Win32.Antigen.a
  • Trojan-PSW.Win32.Delf.d
  • Trojan-PSW.Win32.Dripper
  • Trojan-PSW.Win32.Fantast
  • Trojan-PSW.Win32.Hooker
  • Trojan-SMS.J2ME.RedBrowser.a
  • Trojan-Spy.HTML.Bankfraud.ix
  • Trojan-Spy.HTML.Bankfraud.ra
  • Trojan-Spy.HTML.Bayfraud.hn
  • Trojan-Spy.HTML.Citifraud
  • Trojan-Spy.HTML.Paypal.hn
  • Trojan-Spy.HTML.Sunfraud.a
  • Trojan-Spy.Win32.WMPatch
  • Trojan.BAT.AnitV.a
  • Virus.BAT.Gray.705
  • Virus.BAT.IBBM.ClsV
  • Virus.Win32.Faker.a

It displays the user interface containing a system status warning to convince the user to purchase full protection:

The user is then prompted to pay for a full license of the application in order to remove the threats.

It connects to the following location and may download additional files:

When the program is executed, it creates the following files:
  • C:\Documents and Settings\All Users\Application Data\System Data\vd952342.bd
  • C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini
  • %UserProfile%\Start Menu\Programs\Virus Melt.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Melt.lnk

Next, the program creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Virus Melt" = "[PATH TO EXECUTABLE] /s"

It then creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

It also creates the following registry entries:
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\"Default" = "[PATH TO EXECUTABLE]"
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\"Default" = "[EXECUTABLE FILE NAME].DocHostUIHandler"
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler\"Default" = "Implements DocHostUIHandler"
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler\Clsid\"Default" = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no"
  • HKEY_\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube