Spyware.Visage

SUMMARY

Behavior

Spyware.Visage logs keystrokes, captures screenshots, and monitors Internet activity.

Symptoms

Your Symantec program detects Spyware.Visage.

Transmission

Spyware.Visage must be manually installed.

Protection

• Virus Definitions (LiveUpdate™ Weekly) June 15, 2005
• Virus Definitions (Intelligent Updater) June 10, 2005

TECHNICAL DETAILS

When Spyware.Visage is installed, it performs the following actions:

1. Creates the following files:
   
   
   • %System%Log.idx
   • %System%Mciwinen.dll (viral)
   • %System%mscalctl.dll
   • %System%MSCHRT20.OCX
   • %System%Process.idx
   • %System%cSetup.dll
   • %System%Scr.Idx
   • %System%SnapData.dat
   • %System%URL.idx
   • %System%visage.exe (viral)
   • %System%Winsecmp.dll
     
     Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
     
     
2. Creates the following registry keys:
   
   HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{47267358-EC3D-44A1-9A93-4C8CC18B4B29}
   HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{8EEC0357-B449-4E84-99D7-7AC79E4ED11D}
   HKEY_LOCAL_MACHINESOFTWAREClassesMciwinen.Mciwin
   HKEY_LOCAL_MACHINESOFTWAREClassesMciwinen.Mciwin.1
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsVisage.exe
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall{93606955-BB64-4848-AE69-C6010132A950}
   HKEY_LOCAL_MACHINESOFTWARESTS DevelopmentVisage
   HKEY_CURRENT_USERSoftwareVisage
   
   
3. Adds the value:
   
   "{47267358-EC3D-44A1-9A93-4C8CC18B4B29}" = ""
   
   to the registry subkey:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
   
   
4. Logs keystrokes, captures screenshots, and monitors Internet activity.

REMOVAL

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Uninstall the security risk.
2. Delete any values added to the registry.

1. To uninstall the security risk
This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:

1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).
   
   
2. In the Control Panel window, double-click Add/Remove Programs.
   
   Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.
   
   
3. Click Visage.
   
   Note: You may need to use the scroll bar to view the whole list.
   
   
4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.
   
   Note: After running the Add/Remove programs applet, all the files may have been removed. You will want to run a full system scan to ensure that this is the case. However, it is possible that no files will be detected after using Add/Remove programs.
   
   

2. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
   
   Then click OK.
   
   Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
   
   
3. Navigate to the subkey:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
   
   
4. In the right pane, delete the value, if present:
   
   "{47267358-EC3D-44A1-9A93-4C8CC18B4B29}" = ""
   
   
5. Navigate to and delete the subkeys:
   
   HKEY_CURRENT_USERSoftwareVisage
   
   
6. Exit the Registry Editor.