Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sunshinespy Brings No Warmth To Your Computer


  • Please log in to reply
6 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:29 AM

Posted 24 October 2007 - 12:47 PM

A new rogue anti-spyware program has been released called SunshineSpy. Typically, when a rogue is released it is bundled with malware that does the dirty job of changing your desktop to a fake infection warning, showing fake security alerts, installing rootkits to hide it, and changing other system settings. Bold, brazen, and selfish SunShinySpy, on the other hand, decided to just forget about all the other malware and do it all itself.
Once you run the software, SunShineSpy will start listing programs on your computer that are infected. The catch is that these programs are actually legitimate files. For example, the highlighted file above, C:\Windows\System32\blackbox.dll is a file associated with Microsoft's Digital Rights Management system. A perfectly legitimate file found in Windows. SunShineSpy also utilizes a rootkit to hide the program's process. When the Sunshine.exe program is launched it will load a rootkit driver called C:\Program Files\SunshineSpy\sunio.sys. This rootkit will hide the Sunshine process so that it cannot be seen from the Windows Task Manager, or other process enumerators, yet the actual file can still be seen. Furthermore, once you let the program run for a while, sunshinespy.exe will change your desktop to one of the following HTML pages.
or
The strangest thing about this program is that it installs two startup entries in your profile's Startup folder so they are started automatically when Windows starts. These entries are named SunshineSpy and Uninstall and both point to C:\Program Files\SunshineSpy\UNWISE.EXE. What is so strange is that these startup entries will actually prompt you to uninstall the program when you reboot your computer. Not sure what they were thinking there. In Sophos' write up they state that this program will also cripple your computer by not allowing you to run any other programs. In our testing we did not see this happening and could easily uninstall it via the Add or Remove Programs control panel and a reboot.

This is definitely one of the more bizarre rogue anti-spyware programs we have researched in a while, but still one to stay away from.

Authors Update 11/6/07: It appears that the program now does not automatically uninstall on reboot, but instead launches the SunShineSpy program. It does, though, appear to be using a rootkit. Uninstalling the program from Add or Remove Programs, will stop the program from starting up, but you will still need to manually fix your desktop, delete the files, and the service. For help with this, I would advise asking in our forums. - Thanks Leurgy for the prompt retest.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:29 AM

Posted 28 October 2007 - 03:20 PM

The strangest thing about this program is that it installs two startup entries in your profile's Startup folder so they are started automatically when Windows starts. These entries are named SunshineSpy and Uninstall and both point to C:\Program Files\SunshineSpy\UNWISE.EXE. What is so strange is that these startup entries will actually prompt you to uninstall the program when you reboot your computer. Not sure what they were thinking there.





Although Malware is never really funny, for some reason this struck me as being hilarious. :thumbsup:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 tuxmaster

tuxmaster

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 30 October 2007 - 08:44 AM

My only response is :thumbsup:
-------------------------------------------------------------------------------------
Please respond with the final results after I fix your issue. I like to know the final Results after Solving a Problem. Do not PM me for your issue post in the forums.
~Tuxmaster

#4 DarkNight

DarkNight

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 05 November 2007 - 11:42 AM

Malware is terrible to get,but this is a world most weirdest rogue anti-software ever,I mean,it ask you to un install it,lol

#5 sumthingxtreme

sumthingxtreme

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 06 March 2008 - 03:10 AM

hey im going to feal really dumb for asking this but im new to this and i was woundering if you would send me a message or something to tell me how in the heck i post blogs? because i have a problem i want people to help me with if they can. thank you

#6 david28

david28

    Forum Member


  • Banned
  • 1,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 20 March 2008 - 02:45 AM

LOL

I think that the warning pop-ups that come with these programs just look wrong. I mean, the GUI of all of these programs are good but those pop-up messages are just really out of place and look like they were created with paint, making it easier for the average home user to pick up that it is fake :thumbsup: .

Regards,
David.

#7 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 19 April 2008 - 07:08 AM

hey im going to feal really dumb for asking this but im new to this and i was woundering if you would send me a message or something to tell me how in the heck i post blogs? because i have a problem i want people to help me with if they can. thank you

Hi; if you need help on a problem, maybe start your own thread in http://www.bleepingcomputer.com/forums/f/64/introductions/

and tell us your windows version, your antivirus protection and other protection programs you have on board, what problems you are having with what and we can see how we can help?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users