Threat behavior
Trojan:Win32/WinSpywareProtect is a program that may falsely claim that the user's system is infected and encourages the user to buy a promoted product for cleaning the alleged malware from the computer.
Installation
Win32/WinSpywareProtect may be installed from the program's web site or by social engineering from third party web sites. The installer may make the following system changes:
The registry may be modified to execute Win32/WinSpywareProtect at each Windows start.
Adds value: "InstallProgram"
With data: "%ProgramFiles%\winspywareprotect\winspywareprotect.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The following registry modifications may also be made during installation:
Adds value: "InstallDate"
With data: "¦..&"
To subkey: HKCU\Software\Adsl Software Limited\Installer
Adds value: "4E8D9EBF-122C-42BD-A8CB-7E59C9CC08BA"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Drivers\Video\Options\
Adds value: "lid"
With data: "-1"
To subkey: HKCU\SOFTWARE\Adsl Software Limited\WinSpywareProtect\
Analysis by Subratam Biswas
Prevention
