Content

UnSpyPC

Type
Program
SubType
Win32
Discovery Date
12/01/2005
Minimum DAT
4641 (12/01/2005)
Updated DAT
4971 (02/26/2007)
Minimum Engine
5.1.00
Description Added
12/01/2005
Description Modified
04/06/2006 3:46 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program". This is an anti-spyware application claiming to remove unwanted malicious spyware programs. In an attempt to encourage you to buy the full version of the product, it creates several false registry entries and then "detects" them, which may lead you to believe that your computer is infected with malicious spyware programs when in fact it may not be. In order to clean or delete any elements it finds you must first enter a valid serial number which requires purchase of the full version.

The following are an example of registry entries that were created upon launch of the program. None of the files referenced by these keys existed on the clean test system. It appears they are created solely to ensure there is something to detect when a scan is performed

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "34763"="AppMasterCenter.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "clamav"="AppMasterCenter.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "backd"="panel_its.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "xsetup"="stuffmon.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "backorif"="qwe.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
    "{328C1134-605D-A619-3E65-C85791291948}"="porka_"
  • HKEY_CLASSES_ROOT\CLSID\{328C1134-605D-A619-3E65-C85791291948}
  • HKEY_CLASSES_ROOT\CLSID\{328C1134-605D-A619-3E65-C85791291948}\InprocServer32
  • HKEY_CLASSES_ROOT\CLSID\{328C1134-605D-A619-3E65-C85791291948}\InprocServer32
    "default"="newbreed.dll"

NOTE: More recent versions of this software do not exhibit the behavior of creating misleading Registry entries.

UPDATE 4/6/06: Though false registry keys are not created, the latest versions appear to have extraordinarily generic scanning. The software appears to report as spyware anything in Start Menu Startup folder, along with many common/benign application entries in other registry startup locations.

This application does display a license agreement when installed. The agreement indicates the "scanning only" functionality of the unregistered version, but does not state that false elements will be created by the software.

Privacy

A privacy policy is not displayed during installation. However, a policy is present on the unspypc.com website http://www.unspypc.com/privacy.php .

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • %ProgramFiles%\unspypc\wover.dat (size may vary)
  • %ProgramFiles%\unspypc\warez.dat (size may vary)
  • %ProgramFiles%\unspypc\unspypcupdate.exe (441 KB)
  • %ProgramFiles%\unspypc\unspypc.exe (988 KB)
    MD5: EBCF81B4B50066C6A7EE5BE20B072712
  • %ProgramFiles%\unspypc\uns.ico (2 KB)
  • %ProgramFiles%\unspypc\uninstall.exe (33 KB)
  • c:\documents and settings\(user name)\start menu\programs\unspypc\
  • c:\documents and settings\(user name)\start menu\programs\unspypc\unspypc.lnk (1 KB)
  • c:\documents and settings\(user name)\start menu\programs\unspypc\uninstall.lnk (1 KB)
  • c:\documents and settings\(user name)\desktop\unspypc scanner & monitor.lnk (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\UnSpyPC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\UnSpyPC
  • HKEY_CURRENT_USER\Software\UnSpyPC
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions
    \{BF69DF00-4734-477F-8257-27CD04F88779}

Network Impact

Additional overhead in bandwidth when performing updates.

Aliases

Aliases

    N/A