rule webplayerexe_unv
meta:
description = "Detects webplayerexe unv variant"
strings:
$s1 = "unv_mutex" wide ascii
$s2 = "Windows Defender\\Exclusions" wide
$s3 = "/submit.php" ascii
condition:
uint16(0) == 0x5A4D and all of ($s1, $s2, $s3)
Because this file is often a dropper for other hidden malware, simply deleting the file is usually not enough. The payload has likely already been dropped elsewhere on your system.
Step 1: Disconnect from the Internet Immediately disconnect your Ethernet cable or turn off Wi-Fi. This stops the malware from communicating with the Command & Control (C2) server and prevents it from downloading more payloads or uploading your stolen data.
Step 2: Boot into Safe Mode Booting into Safe Mode loads Windows with only essential drivers, preventing the malware from actively running and locking its files.
Step 3: Run a Dedicated Malware Scanner Standard antivirus sometimes misses these threats. Use a specialized scanner:
Step 4: Check Startup Items
Open Task Manager (Ctrl + Shift + Esc), go to the Startup tab. Look for suspicious entries with random names or entries named "Unity Web Player" that have no publisher verified. Disable them.
Step 5: Delete the File
Navigate to the location of WebPlayerEXE.unv (commonly found in C:\Users\[User]\AppData\Local\Temp, C:\ProgramData, or the folder where you downloaded the pirated software). Delete the file permanently (Shift + Delete).