1. /
  2. Security Response/
  3. VirusMelt

VirusMelt

Updated:
March 11, 2009 9:32:17 PM
Type:
Misleading Application
Infection Length:
1,880,576 bytes
Name:
Virus Melt
Version:
3.0.1.4
Publisher:
iSystems Inc.
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Behavior
The misleading application must be manually installed.

It can be downloaded from the following location:
[http://]code.google.com/p/vmlt/source/browse/tr[REMOVED]

It displays the following warning of potential threats found:



The program reports false or exaggerated system security threats on the computer.



The risk reports the exaggerated security threats to be any of the following:
  • BAT.Looper
  • Packed.Win32.PolyCrypt
  • SpamTool.Win32.Delf.h
  • Trojan-IM.Win32.Faker.a
  • Trojan-PSW.BAT.Cunter
  • Trojan-PSW.VBS.Half
  • Trojan-PSW.Win32.Antigen.a
  • Trojan-PSW.Win32.Delf.d
  • Trojan-PSW.Win32.Dripper
  • Trojan-PSW.Win32.Fantast
  • Trojan-PSW.Win32.Hooker
  • Trojan-SMS.J2ME.RedBrowser.a
  • Trojan-Spy.HTML.Bankfraud.ix
  • Trojan-Spy.HTML.Bankfraud.ra
  • Trojan-Spy.HTML.Bayfraud.hn
  • Trojan-Spy.HTML.Citifraud
  • Trojan-Spy.HTML.Paypal.hn
  • Trojan-Spy.HTML.Sunfraud.a
  • Trojan-Spy.Win32.WMPatch
  • Trojan.BAT.AnitV.a
  • Virus.BAT.Gray.705
  • Virus.BAT.IBBM.ClsV
  • Virus.Win32.Faker.a


It displays the user interface containing a system status warning to convince the user to purchase full protection:




The user is then prompted to pay for a full license of the application in order to remove the threats.





It connects to the following location and may download additional files:
[http://]updvms.cn:9666/Instruct[REMOVED]


Installation
When the program is executed, it creates the following files:
  • C:\Documents and Settings\All Users\Application Data\System Data\vd952342.bd
  • C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini
  • %UserProfile%\Start Menu\Programs\Virus Melt.lnk
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Melt.lnk


Next, the program creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Virus Melt" = "[PATH TO EXECUTABLE] /s"

It then creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler

It also creates the following registry entries:
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\"Default" = "[PATH TO EXECUTABLE]"
  • HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\"Default" = "[EXECUTABLE FILE NAME].DocHostUIHandler"
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler\"Default" = "Implements DocHostUIHandler"
  • HKEY_CLASSES_ROOT\[EXECUTABLE FILE NAME].DocHostUIHandler\Clsid\"Default" = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\"CheckExeSignatures" = "no"
  • HKEY_\Software\Microsoft\Internet Explorer\Download\"RunInvalidSignatures" = "1"
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report