Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

 
Reply to this topicStart new topic
> Sunshinespy Brings No Warmth To Your Computer
Grinler
post Oct 24 2007, 12:47 PM
Post #1


Bleep Bleep!
******

Group: Admin
Posts: 28,265
Joined: 24-January 04
From: USA
Member No.: 3
A new rogue anti-spyware program has been released called SunshineSpy. Typically, when a rogue is released it is bundled with malware that does the dirty job of changing your desktop to a fake infection warning, showing fake security alerts, installing rootkits to hide it, and changing other system settings. Bold, brazen, and selfish SunShinySpy, on the other hand, decided to just forget about all the other malware and do it all itself.

Once you run the software, SunShineSpy will start listing programs on your computer that are infected. The catch is that these programs are actually legitimate files. For example, the highlighted file above, C:\Windows\System32\blackbox.dll is a file associated with Microsoft's Digital Rights Management system. A perfectly legitimate file found in Windows.

SunShineSpy also utilizes a rootkit to hide the program's process. When the Sunshine.exe program is launched it will load a rootkit driver called C:\Program Files\SunshineSpy\sunio.sys. This rootkit will hide the Sunshine process so that it cannot be seen from the Windows Task Manager, or other process enumerators, yet the actual file can still be seen.

Furthermore, once you let the program run for a while, sunshinespy.exe will change your desktop to one of the following HTML pages.



or



The strangest thing about this program is that it installs two startup entries in your profile's Startup folder so they are started automatically when Windows starts. These entries are named SunshineSpy and Uninstall and both point to C:\Program Files\SunshineSpy\UNWISE.EXE. What is so strange is that these startup entries will actually prompt you to uninstall the program when you reboot your computer. Not sure what they were thinking there.

In Sophos' write up they state that this program will also cripple your computer by not allowing you to run any other programs. In our testing we did not see this happening and could easily uninstall it via the Add or Remove Programs control panel and a reboot.

This is definitely one of the more bizarre rogue anti-spyware programs we have researched in a while, but still one to stay away from.

Authors Update 11/6/07: It appears that the program now does not automatically uninstall on reboot, but instead launches the SunShineSpy program. It does, though, appear to be using a rootkit. Uninstalling the program from Add or Remove Programs, will stop the program from starting up, but you will still need to manually fix your desktop, delete the files, and the service. For help with this, I would advise asking in our forums. - Thanks Leurgy for the prompt retest.


--------------------
Lawrence
Go to the top of the page
 
+Quote Post
thewall
post Oct 28 2007, 03:20 PM
Post #2


Senior Member
****

Group: HJT Senior Classmen
Posts: 512
Joined: 19-June 07
From: North Fla. U.S.A.
Member No.: 137,685
QUOTE
The strangest thing about this program is that it installs two startup entries in your profile's Startup folder so they are started automatically when Windows starts. These entries are named SunshineSpy and Uninstall and both point to C:\Program Files\SunshineSpy\UNWISE.EXE. What is so strange is that these startup entries will actually prompt you to uninstall the program when you reboot your computer. Not sure what they were thinking there.





Although Malware is never really funny, for some reason this struck me as being hilarious. laugh.gif
Go to the top of the page
 
+Quote Post
tuxmaster
post Oct 30 2007, 08:44 AM
Post #3


New Member
*

Group: Members
Posts: 14
Joined: 12-October 07
Member No.: 162,496
My only response is huh.gif


--------------------
-------------------------------------------------------------------------------------
Please respond with the final results after I fix your issue. I like to know the final Results after Solving a Problem. Do not PM me for your issue post in the forums.
~Tuxmaster
Go to the top of the page
 
+Quote Post
DarkNight
post Nov 5 2007, 11:42 AM
Post #4


Forum Regular
***

Group: Members
Posts: 231
Joined: 5-July 07
Member No.: 141,582
Malware is terrible to get,but this is a world most weirdest rogue anti-software ever,I mean,it ask you to un install it,lol
Go to the top of the page
 
+Quote Post
sumthingxtreme
post Mar 6 2008, 03:10 AM
Post #5


New Member
*

Group: Members
Posts: 1
Joined: 6-March 08
Member No.: 194,585
hey im going to feal really dumb for asking this but im new to this and i was woundering if you would send me a message or something to tell me how in the heck i post blogs? because i have a problem i want people to help me with if they can. thank you
Go to the top of the page
 
+Quote Post
david28
post Mar 20 2008, 02:45 AM
Post #6


Forum Member
******

Group: Members
Posts: 1,611
Joined: 20-September 07
Member No.: 157,913
LOL

I think that the warning pop-ups that come with these programs just look wrong. I mean, the GUI of all of these programs are good but those pop-up messages are just really out of place and look like they were created with paint, making it easier for the average home user to pick up that it is fake blink.gif .

Regards,
David.


--------------------
David

Also known as TechSabre
Go to the top of the page
 
+Quote Post
ruby1
post Apr 19 2008, 07:08 AM
Post #7


a forum member
******

Group: Members
Posts: 1,620
Joined: 27-August 07
Member No.: 153,171
QUOTE(sumthingxtreme @ Mar 6 2008, 09:10 AM) *
hey im going to feal really dumb for asking this but im new to this and i was woundering if you would send me a message or something to tell me how in the heck i post blogs? because i have a problem i want people to help me with if they can. thank you

Hi; if you need help on a problem, maybe start your own thread in http://www.bleepingcomputer.com/forums/forum64.html

and tell us your windows version, your antivirus protection and other protection programs you have on board, what problems you are having with what and we can see how we can help?
Go to the top of the page
 
+Quote Post
« Next Oldest · News · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 24th July 2008 - 08:21 PM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides

© 2003-2008 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2008  IPS, Inc.