Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.

Spyviper

Friday, June 27 2008

Symantec Security Response

http://www.symantec.com/business/security_response/index.jsp

Spyviper

Updated: February 13, 2007 11:49:25 AM
Type: Misleading Application
Publisher: Spyviper.com
Risk Impact: Medium
File Names: SpyViperDemo.msiSpyViperDemo.exeApprestart.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

SUMMARY

Behavior


SpyViper is a security risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Symptoms


Your Symantec program detects SpyViper.

Transmission


This security risk is manually downloaded and installed.

Protection

  • Initial Rapid Release version April 5, 2006
  • Latest Rapid Release version June 14, 2008 revision 017
  • Initial Daily Certified version April 5, 2006
  • Latest Daily Certified version June 14, 2008 revision 016
  • Initial Weekly Certified release date April 5, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS


When ScanandRepair is installed, it performs the following actions:
  1. Creates the following folder:

    %ProgramFiles%\SpyViper Demo

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • C:\Program Files\SpyViper Demo\AppRestart.exe
    • C:\Program Files\SpyViper Demo\BlockedCookies.dat
    • C:\Program Files\SpyViper Demo\ExeDefinition.dat
    • C:\Program Files\SpyViper Demo\FileDefinition.dat
    • C:\Program Files\SpyViper Demo\help.chm
    • C:\Program Files\SpyViper Demo\RegistryDefinition.dat
    • C:\Program Files\SpyViper Demo\riched32.dll
    • C:\Program Files\SpyViper Demo\Scan_Log.txt
    • C:\Program Files\SpyViper Demo\SpyViper.com.url
    • C:\Program Files\SpyViper Demo\SpyViperDemo.exe
    • C:\WINDOWS\Installer\[random].msi
    • C:\WINDOWS\system32\actskn43.ocx
    • C:\WINDOWS\system32\mscomct2.ocx
    • C:\WINDOWS\system32\mscomctl.ocx
    • C:\WINDOWS\system32\richtx32.ocx
    • C:\WINDOWS\system32\skinboxer43.dll
    • C:\WINDOWS\system32\tabctl32.ocx
    • C:\Documents and Settings\Administrator\Desktop\SpyViper Demo.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyViper.com Software\SpyViper Demo\Readme-Help.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyViper.com Software\SpyViper Demo\SpyViper Demo.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyViper.com Software\SpyViper Demo\SpyViper.com.url
    • C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{7D77157C-CB0B-443B-A62A-8BCA496BA488}\[random].exe

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\DE3CB23B70E487F42BC60E58932FB63E
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7D77157C-CB0B-443B-A62A-8BCA496BA488}
    HKEY_ALL_USERS\Software\Microsoft\Installer\Features\C75177D7B0BCB3446AA2B8AC94B64A88
    HKEY_ALL_USERS\Software\Microsoft\Installer\Products\C75177D7B0BCB3446AA2B8AC94B64A88
    HKEY_ALL_USERS\Software\Microsoft\Installer\UpgradeCodes\DE3CB23B70E487F42BC60E58932FB63E
    HKEY_LOCAL_MACHINE\SOFTWARE\SpyViper.com
    HKEY_ALL_USERS\Software\UnSpyPC
    HKEY_ALL_USERS\Software\VB and VBA Program Settings\AdwareRemovalSoftware
    HKEY_ALL_USERS\Software\VB and VBA Program Settings\SpyViper

  4. Adds the value:

    "SpyViperDemo" = "C:\Program Files\SpyViper Demo\SpyViperDemo"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it is executed every time Windows starts.

  5. Adds the values:

    "C:\Program Files\SpyViper Demo\" = ""
    "C:\Documents and Settings\Administrator\Start Menu\Programs\SpyViper.com Software\" = ""
    "C:\Documents and Settings\Administrator\Start Menu\Programs\SpyViper.com Software\SpyViper Demo\" = ""
    "C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{7D77157C-CB0B-443B-A62A-8BCA496BA488}" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders


REMOVAL


The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Update the definitions.
  2. Uninstall the security risk.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the security risk
This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:
  1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).

  2. In the Control Panel window, double-click Add/Remove Programs.

    Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.

  3. Click "´SpyViper Demo"

    Note:     You may need to use the scroll bar to view the whole list.

  4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

    Note: After running the Add/Remove programs applet, all the files may have been removed. You will want to run a full system scan to ensure that this is the case. However, it is possible that no files will be detected after using Add/Remove programs.




Read More:
Spyviper
Also See:
VirusDoctor
EasySpywareCleaner
InternetAntivirus
AntiSpyKit
AdwareSpy