||||
Symantec.com > Security Response > Threats and Risks > Spyware.CometCursor
PRINT THIS PAGE

Spyware.CometCursor

Printer Friendly Page

Updated: March 22, 2007 7:30:27 PM
Type: Spyware
Infection Length: Varies
Name: Comet Cursor Plus
Version: 4.3.333.22
Publisher: Comet Systems
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

When the security risk runs, it assigns the user a Global User ID composed of a download number and the computer's Media Access Control (MAC) through the following site:
[http://]www.log.cc.cometsystems.com

It then changes the cursor when the user is on a site that is Comet Cursor-enabled.

It uses the Global User ID to record the URL of any Comet Cursor-enabled site that you visit, as well as the next URL that you visited after leaving that site.

The security risk periodically checks for Comet Cursor updates and, if available, downloads and installs them.

It then creates the following files and folders:
  • %ProgramFiles%\Comet\Bin
  • %ProgramFiles%\Comet\Core
  • %ProgramFiles%\Comet\Data
  • %ProgramFiles%\Comet\Install
  • %ProgramFiles%\Comet\Products
  • %ProgramFiles%\Comet\Products\adzap
  • %ProgramFiles%\Comet\Products\FunButton
  • %ProgramFiles%\Comet\Products\FunCursors
  • %ProgramFiles%\Comet\Products\FunCursors\cursors
  • %ProgramFiles%\Comet\Products\RefButton
  • %ProgramFiles%\Comet\Products\RelatedSearch
  • %ProgramFiles%\Comet\Products\Screensaver
  • %ProgramFiles%\Comet\Products\Shared
  • %ProgramFiles%\Comet\Products\ShopButton
  • %ProgramFiles%\Comet\Products\Smilettown
  • %ProgramFiles%\Comet\Products\TravelButton
  • %ProgramFiles%\Comet\Products\Travel
  • %ProgramFiles%\Comet\Products\WebButton
  • %ProgramFiles%\Comet\Products\WebCursors
  • %ProgramFiles%\Comet\Services
  • %ProgramFiles%\Comet\Services\AddRemove
  • %ProgramFiles%\Comet\Services\License
  • %ProgramFiles%\Comet\Services\Logqueue
  • %ProgramFiles%\Comet\Services\Messaging
  • %ProgramFiles%\Comet\Services\Messaging\Base
  • %ProgramFiles%\Comet\Services\Messaging\Campaigns
  • %ProgramFiles%\Comet\Services\Messaging\Campaigns\AdZap
  • %ProgramFiles%\Comet\Services\Messaging\Listeners
  • %ProgramFiles%\Comet\Temp - Contains .tmp files.
  • %ProgramFiles%\Comet\Temp\Uninstall
  • %ProgramFiles%\Comet\Update\ - Contains toolbar components, such as graphics, sounds, and scripts.
  • %ProgramFiles%\Comet\Bin\comet.exe - Comet Cursor platform loader and desktop UI, detected as Spyware.CometCursor
  • %ProgramFiles%\Comet\Bin\comutil.dll - Comet Cursor library
  • %ProgramFiles%\Comet\Bin\csapputil.dll - Comet Cursor utility library
  • %ProgramFiles%\Comet\Bin\csband.dll - Comet Cursor search functionality component
  • %ProgramFiles%\Comet\Bin\csbho.dll - Comet Cursor Browser Helper Object, contacts update.cc.cometsystems.com, detected as Spyware.CometCursor
  • %ProgramFiles%\Comet\Bin\csbrange.dll - Comet Cursor library
  • %ProgramFiles%\Comet\Bin\cscore.dll - Comet Cursor core URL gathering, detected as Spyware.CometCursor
  • %ProgramFiles%\Comet\Bin\csctx.dll - Comet Cursor context parser library
  • %ProgramFiles%\Comet\Bin\cseng.dll - Comet Cursor javascript engine
  • %ProgramFiles%\Comet\Bin\csietb.dll - Comet Cursor IE Toolbar library, detected as Spyware.CometCursor
  • %ProgramFiles%\Comet\Bin\csinst.dll - Comet Cursor library
  • %ProgramFiles%\Comet\Bin\csinstall.exe - A .html file containing a script for capturing URLs
  • %ProgramFiles%\Comet\Bin\cstray.exe - Creates a small tray icon in systray. It has an option to look for "Fun Cursors"
  • %ProgramFiles%\Comet\Bin\csutil.dll - Utility functions, called by other .dlls
  • %ProgramFiles%\Comet\Bin\fileutil.dll - File utilities functions, related to csutil.dll
  • %ProgramFiles%\Comet\Bin\unins.ico - An uninstaller icon
  • %Windir%\inf\CC_43.PNF - An install configuration file
  • %Windir%\inf\CC_43.inf - An install configuration file
  • %UserProfile%\Desktop\Comet Cursor.lnk
  • %System%\Comet.inf
  • %Userprofile%\Local Settings\Temp\ccu\comet.cab
  • %Userprofile%\Local Settings\Temp\comet_install.exe
  • %Userprofile%\Comet Cursor.lnk

The security risk creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{FE6BC4EF-5676-484B-88AE-883323913256}" = ""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{FE6BC4EF-5676-484B-88AE-883323913256}" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents\"[RANDOM VALUE]" ="application/x-comet"

It also creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{062EFA85-8BBB-11D3-80D0-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{0922EC1A-9EC7-11D3-80B9-00500487BDBA}
HKEY_CLASSES_ROOT\CLSID\{0E42926E-96D8-11D3-80D5-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{0E429272-96D8-11D3-80D5-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{15940F5D-D8BD-49BC-851D-29DCFB166950}
HKEY_CLASSES_ROOT\CLSID\{1678F7E1-C422-11D0-AD7D-00400515CAAA}
HKEY_CLASSES_ROOT\CLSID\{212B99A1-9CF6-11D3-80B7-00500487BDBA}
HKEY_CLASSES_ROOT\CLSID\{37D026C3-84D7-4AC5-A026-C08B7907CACF}
HKEY_CLASSES_ROOT\CLSID\{39E01E09-2B45-11D4-810D-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{4320AEEB-2F2A-4F97-B573-232C6576AA3A}
HKEY_CLASSES_ROOT\CLSID\{4AA5D526-44D5-4AF6-AC53-5CE1534CC40B}
HKEY_CLASSES_ROOT\CLSID\{64726B8A-0CBE-4F80-90B7-1CA1BC69FCFB}
HKEY_CLASSES_ROOT\CLSID\{6F2D6A5E-E3E7-4F18-887C-C777650DEF57}
HKEY_CLASSES_ROOT\CLSID\{7BE4E188-DD04-47E4-8C1B-4AA330B18D9F}
HKEY_CLASSES_ROOT\CLSID\{7F0F5DA7-84CB-11D4-8137-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{827A2ECE-D76F-4BCC-82ED-D6A287C11211}
HKEY_CLASSES_ROOT\CLSID\{8AE68B04-D492-4474-A6E2-FD5FE884F4B1}
HKEY_CLASSES_ROOT\CLSID\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
HKEY_CLASSES_ROOT\CLSID\{941228B3-3AD1-4633-A9F5-59154CB362D4}
HKEY_CLASSES_ROOT\CLSID\{A335D52F-D489-472D-9EAA-D72A40AAF7CA}
HKEY_CLASSES_ROOT\CLSID\{A5EA242A-442E-4ecb-9CAC-97037CCD6EC6}
HKEY_CLASSES_ROOT\CLSID\{C38FC998-3B1B-4F59-A710-5A6C9CF8BD92}
HKEY_CLASSES_ROOT\CLSID\{CBE7D5E7-90A2-11D3-80D1-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{CD74B159-A1D3-11D3-80BC-00500487BDBA}
HKEY_CLASSES_ROOT\CLSID\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKEY_CLASSES_ROOT\CLSID\{DA0882FB-49A3-4A9E-BB09-5E15347B5647}
HKEY_CLASSES_ROOT\CLSID\{DFA771A5-2138-48EE-A58E-F782C879AF8E}
HKEY_CLASSES_ROOT\CLSID\{E28FCB54-8C8E-11D3-80D1-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{E3A6E4B2-16B4-4F56-A98A-5F4DE04CA2BE}
HKEY_CLASSES_ROOT\CLSID\{E5C39DB9-9DCC-11D3-80D6-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{EA5BB125-A227-40A7-BCAA-652D497C2F65}
HKEY_CLASSES_ROOT\CLSID\{EB07A6D4-8E36-11D4-8138-00500487B1C5}
HKEY_CLASSES_ROOT\CLSID\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
HKEY_CLASSES_ROOT\CLSID\{EDEE4CCB-0913-4CC9-8EA9-3DDD87AB8BDE}
HKEY_CLASSES_ROOT\CLSID\{F147AE85-1855-4182-BE3A-174160995A40}
HKEY_CLASSES_ROOT\CLSID\{FE6BC4EF-5676-484B-88AE-883323913256}
HKEY_CLASSES_ROOT\CLSID\{3C0C31A2-70A2-11D1-B69E-444553540000}
HKEY_CLASSES_ROOT\Interface\{012B0571-2CD6-11D4-810D-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{062EFA84-8BBB-11D3-80D0-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{0922EC19-9EC7-11D3-80B9-00500487BDBA}
HKEY_CLASSES_ROOT\Interface\{0E42926F-96D8-11D3-80D5-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{0E429271-96D8-11D3-80D5-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{1348E05A-21C7-4134-B4A4-3C12234FCA3F}
HKEY_CLASSES_ROOT\Interface\{1E587528-41AA-4F19-97E8-BB75ACC3035C}
HKEY_CLASSES_ROOT\Interface\{212B99A0-9CF6-11D3-80B7-00500487BDBA}
HKEY_CLASSES_ROOT\Interface\{29089B98-AF05-4769-B627-86A745D4B672}
HKEY_CLASSES_ROOT\Interface\{2DA93E50-9D08-11D3-80D5-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{2FCFB3FD-7184-4C42-AED3-30FFF0119964}
HKEY_CLASSES_ROOT\Interface\{34FDD882-5530-4A90-89CD-416612C8855E}
HKEY_CLASSES_ROOT\Interface\{43F1B4AD-92EF-4DB3-BDA9-12335B012DD0}
HKEY_CLASSES_ROOT\Interface\{50D7C4AB-3C82-11D4-8111-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{58C59F56-CA66-4B5D-9132-ECEA5193BE5A}
HKEY_CLASSES_ROOT\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C}
HKEY_CLASSES_ROOT\Interface\{788E0D0E-CAF7-473B-9183-76BE6D30DC9A}
HKEY_CLASSES_ROOT\Interface\{7AA7D1C3-F0F8-460C-936D-B5886D0928EB}
HKEY_CLASSES_ROOT\Interface\{7F0F5DA6-84CB-11D4-8137-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{832786EC-9632-4919-8972-59F79D621C87}
HKEY_CLASSES_ROOT\Interface\{899BE974-D575-48BB-A9C7-1D24E8042BE4}
HKEY_CLASSES_ROOT\Interface\{8BEE173B-C006-4F0E-ACD2-84A882BEBCFF}
HKEY_CLASSES_ROOT\Interface\{910E67A6-BD53-46DF-8434-41498B7D22F7}
HKEY_CLASSES_ROOT\Interface\{9464C98E-B5F1-4C6A-BD3F-9696E3BD081E}
HKEY_CLASSES_ROOT\Interface\{97284959-A553-4576-859C-B3B3FF283DE0}
HKEY_CLASSES_ROOT\Interface\{A0CA55A0-A112-11D3-80D6-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{A0CA55A1-A112-11D3-80D6-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{A4B977F5-1EFC-4DA0-B9C2-67C53CBA140F}
HKEY_CLASSES_ROOT\Interface\{A9E67CBE-7A42-47BE-962A-C07E73C34FBA}
HKEY_CLASSES_ROOT\Interface\{AEB17FC4-2A52-4945-9866-81CC343A59E3}
HKEY_CLASSES_ROOT\Interface\{B0DB6360-8D7F-11D4-8137-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{B0E9399E-FE6F-43B0-98D3-2F47080DDE4A}
HKEY_CLASSES_ROOT\Interface\{BFCBF73B-6EB2-49C1-ADCA-CF0CD589B140}
HKEY_CLASSES_ROOT\Interface\{C0CAD17E-00A3-4F40-9015-D569C3114BA3}
HKEY_CLASSES_ROOT\Interface\{C4D86DC8-B73B-4470-9914-3DAC14EE6F95}
HKEY_CLASSES_ROOT\Interface\{C7291310-3C8C-11D4-8111-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{C81B4B57-B06B-409D-AED0-028051683796}
HKEY_CLASSES_ROOT\Interface\{CBE7D5E6-90A2-11D3-80D1-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{CBE7D5E8-90A2-11D3-80D1-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{CD74B15B-A1D3-11D3-80BC-00500487BDBA}
HKEY_CLASSES_ROOT\Interface\{CE2EAB19-E31D-43CA-A860-F95A2CA50040}
HKEY_CLASSES_ROOT\Interface\{D14D6792-9B65-11D3-80B6-00500487BDBA}
HKEY_CLASSES_ROOT\Interface\{DC86768F-5ADF-4D84-9DE8-FD047B1FE8F5}
HKEY_CLASSES_ROOT\Interface\{DDD1E8CA-678D-4C9A-A472-CE9578B14DC5}
HKEY_CLASSES_ROOT\Interface\{E28FCB53-8C8E-11D3-80D1-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{EA3B6C62-70A6-11D1-B69E-444553540000}
HKEY_CLASSES_ROOT\Interface\{EB07A6D3-8E36-11D4-8138-00500487B1C5}
HKEY_CLASSES_ROOT\Interface\{FFE56921-248B-4C75-9EEE-01706310E371}
HKEY_CLASSES_ROOT\Typelib\{3C0C31A2-70A2-11D1-B69E-444553540000}
HKEY_CLASSES_ROOT\TypeLib\{062EFA78-8BBB-11D3-80D0-00500487B1C5}
HKEY_CLASSES_ROOT\TypeLib\{07FA131E-2EB2-446F-93D2-9F877320010B}
HKEY_CLASSES_ROOT\TypeLib\{3F4386E5-2FBE-44A8-81CF-4B792490605F}
HKEY_CLASSES_ROOT\TypeLib\{5D2D50F6-6BE2-41A0-B827-1ACCD3E2E2F7}
HKEY_CLASSES_ROOT\TypeLib\{74232635-A013-49F2-B869-1B1AB932D944}
HKEY_CLASSES_ROOT\TypeLib\{7F0F5D9A-84CB-11D4-8137-00500487B1C5}
HKEY_CLASSES_ROOT\TypeLib\{878ACE1B-8DB0-4D75-9034-504756AD4215}
HKEY_CLASSES_ROOT\TypeLib\{BF986691-7F7B-4F94-85E0-20E75350701F}
HKEY_CLASSES_ROOT\TypeLib\{BFA2C963-FC24-4770-8C19-0D5A1CD58DF9}
HKEY_CLASSES_ROOT\TypeLib\{C09FB84D-B9ED-43EB-AFED-F145C26CB839}
HKEY_CLASSES_ROOT\TypeLib\{D14D6786-9B65-11D3-80B6-00500487BDBA}
HKEY_CLASSES_ROOT\BHO.CSBHO
HKEY_CLASSES_ROOT\BHO.CSBHO.1
HKEY_CLASSES_ROOT\CSBRange.ByteRange
HKEY_CLASSES_ROOT\CSBRange.ByteRange.1
HKEY_CLASSES_ROOT\CSBand.HorizontalIEBand
HKEY_CLASSES_ROOT\CSBand.HorizontalIEBand.1
HKEY_CLASSES_ROOT\CSBand.VerticalIEBand
HKEY_CLASSES_ROOT\CSBand.VerticalIEBand.1
HKEY_CLASSES_ROOT\CSEng.CSEngine
HKEY_CLASSES_ROOT\CSEng.CSEngine.1
HKEY_CLASSES_ROOT\CSEng.CSHost
HKEY_CLASSES_ROOT\CSEng.CSHost.1
HKEY_CLASSES_ROOT\CSEng.EvHandler
HKEY_CLASSES_ROOT\CSEng.EvHandler.1
HKEY_CLASSES_ROOT\CSIP.CSCollection
HKEY_CLASSES_ROOT\CSIP.CSCollection.1
HKEY_CLASSES_ROOT\CSIP.CSIPDispatch
HKEY_CLASSES_ROOT\CSIP.CSIPDispatch.1
HKEY_CLASSES_ROOT\CSIP.CSIPPacket
HKEY_CLASSES_ROOT\CSIP.CSIPPacket.1
HKEY_CLASSES_ROOT\ComUtil.FCParam
HKEY_CLASSES_ROOT\ComUtil.FCParam.1
HKEY_CLASSES_ROOT\ComUtil.FctCall
HKEY_CLASSES_ROOT\ComUtil.FctCall.1
HKEY_CLASSES_ROOT\CometAppUtil.CometUIEvents
HKEY_CLASSES_ROOT\CometAppUtil.CometUIEvents.1
HKEY_CLASSES_ROOT\CometIEToolbar.CometToolbar
HKEY_CLASSES_ROOT\CometIEToolbar.CometToolbar.1
HKEY_CLASSES_ROOT\ContextParser.CSRegExp
HKEY_CLASSES_ROOT\ContextParser.CSRegExp.1
HKEY_CLASSES_ROOT\ContextParser.ContextProxy
HKEY_CLASSES_ROOT\ContextParser.ContextProxy.1
HKEY_CLASSES_ROOT\ContextParser.ContextProxyMgr
HKEY_CLASSES_ROOT\ContextParser.ContextProxyMgr.1
HKEY_CLASSES_ROOT\ContextParser.URLContextParser
HKEY_CLASSES_ROOT\ContextParser.URLContextParser.1
HKEY_CLASSES_ROOT\Core.BHO1
HKEY_CLASSES_ROOT\Core.BHO1.1
HKEY_CLASSES_ROOT\Core.BrowserAppProxy
HKEY_CLASSES_ROOT\Core.BrowserAppProxy.1
HKEY_CLASSES_ROOT\Core.CS15Cursor
HKEY_CLASSES_ROOT\Core.CS15Cursor.1
HKEY_CLASSES_ROOT\CometCursor.CometCursor
HKEY_CLASSES_ROOT\CometCursor.CometCursor.1
HKEY_CLASSES_ROOT\Core.CometCursor
HKEY_CLASSES_ROOT\Core.CometCursor.1
HKEY_CLASSES_ROOT\Core.CometFrame
HKEY_CLASSES_ROOT\Core.CometFrame.1
HKEY_CLASSES_ROOT\Core.CometWindow
HKEY_CLASSES_ROOT\Core.CometWindow.1
HKEY_CLASSES_ROOT\Core.FileInfo
HKEY_CLASSES_ROOT\Core.FileInfo.1
HKEY_CLASSES_ROOT\Core.HttpComm
HKEY_CLASSES_ROOT\Core.HttpComm.1
HKEY_CLASSES_ROOT\Core.MyBrowser1
HKEY_CLASSES_ROOT\Core.MyBrowser1.1
HKEY_CLASSES_ROOT\Core.SelfUpdater
HKEY_CLASSES_ROOT\Core.SelfUpdater.1
HKEY_CLASSES_ROOT\Core.System
HKEY_CLASSES_ROOT\Core.System.1
HKEY_CLASSES_ROOT\Core.WindowProxy
HKEY_CLASSES_ROOT\Core.WindowProxy.1
HKEY_CLASSES_ROOT\Puk.PukBHO
HKEY_CLASSES_ROOT\Puk.PukBHO.1
HKEY_CLASSES_ROOT\SkinUI.ActiveWindow
HKEY_CLASSES_ROOT\SkinUI.ActiveWindow.1
HKEY_CLASSES_ROOT\SkinUI.CSkinUI
HKEY_CLASSES_ROOT\SkinUI.CSkinUI.1
HKEY_CLASSES_ROOT\SkinUI.WebBrowserSink
HKEY_CLASSES_ROOT\SkinUI.WebBrowserSink.1
HKEY_CLASSES_ROOT\SkinUI.WindowsHelper
HKEY_CLASSES_ROOT\SkinUI.WindowsHelper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Comet Systems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D14D6793-9B65-11D3-80B6-00500487BDBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cc2k
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Comet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCAR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUK

It then modifies the value in the registry subkeyto point to a different URL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchAssistant
Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS