Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.

WorldAntiSpy

Friday, June 27 2008

Symantec Security Response

http://www.symantec.com/business/security_response/index.jsp

WorldAntiSpy

Updated: February 13, 2007 11:49:28 AM
Type: Misleading Application
Publisher: WorldAntiSpy
Risk Impact: Medium
File Names: WorldAntiSpy.exeSetup.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows CE, Windows NT, Windows Server 2003, Windows XP

SUMMARY

Behavior


WorldAntiSpy is a security risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Symptoms


Your Symantec program detects WorldAntiSpy

Transmission


This security risk is manually downloaded and installed.

Protection

  • Initial Rapid Release version April 6, 2006
  • Latest Rapid Release version April 6, 2006
  • Initial Daily Certified version April 6, 2006
  • Latest Daily Certified version April 6, 2006
  • Initial Weekly Certified release date April 12, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS


When ScanandRepair is installed, it performs the following actions:
  1. Creates the following folder:

    %ProgramFiles%\WorldAntiSpy

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\WorldAntiSpy.lnk
    • C:\Documents and Settings\Administrator\Desktop\WorldAntiSpy.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WorldAntiSpy.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WorldAntiSpy\Uninstall WorldAntiSpy.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\WorldAntiSpy\WorldAntiSpy.lnk
    • C:\Documents and Settings\Administrator\Application Data\Skinux\WorldAntiSpy\Profile.xml
    • %ProgramFiles%\WorldAntiSpy\imagehlp.dll
    • %ProgramFiles%\WorldAntiSpy\license.txt
    • %ProgramFiles%\WorldAntiSpy\Scanner\Base\base.dat
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\accel.xml
    • %ProgramFiles%\WorldAntiSpy\unicows.dll
    • %ProgramFiles%\WorldAntiSpy\unins000.dat
    • %ProgramFiles%\WorldAntiSpy\unins000.exe
    • %ProgramFiles%\WorldAntiSpy\WorldAntiSpy.exe
    • %ProgramFiles%\WorldAntiSpy\WorldAntiSpy.ico
    • %ProgramFiles%WorldAntiSpy\BaseV.tmp
    • %ProgramFiles%WorldAntiSpy\version.tmp

  3. Creates the following subfolders in the folders %ProgramFiles%\WorldAntiSpy containing various files:

    • %ProgramFiles%WorldAntiSpy\Monitor\Snapshot
    • %ProgramFiles%\WorldAntiSpy\Monitor
    • %ProgramFiles%\WorldAntiSpy\Scanner
    • %ProgramFiles%\WorldAntiSpy\Scanner\Base
    • %ProgramFiles%\WorldAntiSpy\Skinux
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\by_now
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\close
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\connection_settings
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\live_suppport
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\minimize
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\options
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBabout
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBie
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBpcshield
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBquarantine
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBscan
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBsysinfo
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\PBUpdate
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\red_simple
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\Register
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\remove_button
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\simple
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\simple_large
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\Buttons\sysinfo
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\elements
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\elements\scroll
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\elements\arrow_down
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\elements\arrow_up
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\panels
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\panels\update
    • %ProgramFiles%\WorldAntiSpy\Skinux\WorldAntiSpy\Skins\Classic\windows
    • C:\Documents and Settings\Administrator\Application Data\Skinux\WorldAntiSpy

  4. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WorldAntiSpy.com_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\WorldAntiSpy.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General


REMOVAL


The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Update the definitions.
  2. Uninstall the security risk.
  3. Run the scan.
  4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.
  1. To update the definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.
  2. To remove the risk
    This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:

    a. Delete the following files and folders if they exist:

    %ProgramFiles%\WorldAntiSpy
    C:\Documents and Settings\All Users\Start Menu\Programs\WorldAntiSpy
    C:\Documents and Settings\Administrator\Application Data\Skinux\WorldAntiSpy
    C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\WorldAntiSpy.lnk
    C:\Documents and Settings\Administrator\Desktop\WorldAntiSpy.lnk
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WorldAntiSpy.lnk

  3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
  3. Navigate to and delete the following registry entries if they exist:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WorldAntiSpy.com_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\WorldAntiSpy.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General

  4. Exit the Registry Editor.




Read More:
WorldAntiSpy
Also See:
CodeClean
AntiVirus2008
AntiVirusGold
SpySpeed
SpywareAnnihilatorPro