Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:SPR/Fake.SpyWinRean
Type:Security Privacy Risk
In the wild:Yes
Reported Infections:High
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:380.704 Bytes
MD5 checksum:4969ceb8fe6db5a5ee2e11969bf146bf
VDF version:7.00.03.23
IVDF version:7.00.03.27 - Friday, March 14, 2008

 General Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows CE


Side effects:
   • Downloads malicious files
   • Drops a malicious file

 Files It copies itself to the following location:
   • %PROGRAM FILES%\WinReanimator\install.exe



The following files are created:

%PROGRAM FILES%\WinReanimator\unzip32.dll
%PROGRAM FILES%\WinReanimator\data\daily.cvd
%PROGRAM FILES%\WinReanimator\WinReanimator.cfg
%PROGRAM FILES%\WinReanimator\WinReanimator.dll
%PROGRAM FILES%\WinReanimator\un.ico
%PROGRAM FILES%\WinReanimator\pthreadVC2.dll
%PROGRAM FILES%\WinReanimator\htmlayout.dll
%PROGRAM FILES%\WinReanimator\\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%PROGRAM FILES%\WinReanimator\\Microsoft.VC80.CRT\msvcm80.dll
%PROGRAM FILES%\WinReanimator\\Microsoft.VC80.CRT\msvcp80.dll
%PROGRAM FILES%\WinReanimator\\Microsoft.VC80.CRT\msvcr80.dll
– %ALLUSERSPROFILE%\Desktop\WinReanimator.lnk
– %ALLUSERSPROFILE%\Start Menu\Programs\WinReanimator\WinReanimator.lnk
– %ALLUSERSPROFILE%\Start Menu\Programs\WinReanimator\Uninstall.lnk
%PROGRAM FILES%\WinReanimator\WinReanimator.exe Further investigation pointed out that this file is malware, too. Detected as: PHISH/FraudTool.Reanimator.B




It tries to download some files:

– The location is the following:
   • http://www.winreanimator.com/WinReanimator/******
It is saved on the local hard drive under: %TEMPDIR%\Binaries1.zip Further investigation pointed out that this file is malware, too. Detected as: PHISH/FraudTool.Reanimator.B


– The location is the following:
   • http://www.winreanimator.com/WinReanimator/******
It is saved on the local hard drive under: %TEMPDIR%\Binaries2.zip Further investigation pointed out that this file is malware, too. Detected as: PHISH/FraudTool.Reanimator.B


– The location is the following:
   • http://www.winreanimator.com/WinReanimator/******
It is saved on the local hard drive under: %TEMPDIR%\Binaries3.zip Further investigation pointed out that this file is malware, too. Detected as: PHISH/FraudTool.Reanimator.B

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Upack 0.39

Description inserted by Irina Diaconescu on Wednesday, April 23, 2008
Description updated by Irina Diaconescu on Friday, June 6, 2008

Back . . . .