Spyware.Marketscore

Printer Friendly Page

Updated: February 13, 2007 11:37:13 AM

Type: Spyware

Version: 1.3.3.198

Publisher: www.Marketscore.com

Risk Impact: Low

File Names: Ossproxy.exe Nscheck.exe Okshook.dll Csloa.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.Marketscore runs, it performs the following actions:

Creates the following files:
- Ossproxy.exe
- Nscheck.exe
- Okshook.dll
- Csloa.dll
Attempts to download and install additional files or updates to itself.
Starts a proxy service and tracks Internet usage information.
Drops the following risk related files:
- C:\windows\system32\Downloaded Program Files\setup.exe
- C:\windows\system32\model.dat
- C:\windows\system32\silc_dll.dll
- C:\windows\system32\opnsqr.exe
- C:\windows\system32\cosscfg.exe
- C:\windows\system32\LDPackage.dll
- C:\windows\system32\opls.dll
Drops the following clean file:

C:\windows\system32\sporder.dll
Creates the following registry subkey: HEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage \C:/WINDOWS/Downloaded Program Files/setup.exe
Adds the value:

"C:\windows\system32\opnsqr.exe" = "c:\windows\system32\opnsqr.exe:*:Enabled:opnsqr.exe"

to the registry subkeys:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters \FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds the value:

"C:\WINDOWS\Downloaded Program Files\setup.exe" = "1"

to the registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Adds the values:

{35B7E48B-9D81-4C6C-9578-5FD4F620D886}: ""
"Owner" = "{35B7E48B-9D81-4C6C-9578-5FD4F620D886}"

to the registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage \C:/WINDOWS/Downloaded Program Files/setup.exe
Adds the value:

"OSSProxy" = "c:\windows\system32\opnsqr.exe -bootinstall"

to the registry subkey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Drops legitimate files and registry subkeys associated with the Installshield installer.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}