Updated: February 13, 2007 11:48:33 AM
Type: Misleading Application
Infection Length: 2602431 bytes;1396736 bytes
Risk Impact: Medium
File Names:
spyaxe_setup.exe
spyaxe.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows NT, Windows Server 2003, Windows XP
When Spyaxe is executed, it performs the following actions:
- Creates the following folder:
%ProgramFiles%\Spyaxe
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following files:
- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyAxe 3.0.lnk
- C:\Documents and Settings\Administrator\Desktop\SpyAxe.lnk
- C:\Documents and Settings\Administrator\Start Menu\Programs\SpyAxe
- C:\Documents and Settings\Administrator\Start Menu\Programs\SpyAxe\SpyAxe 3.0 Website.lnk
- C:\Documents and Settings\Administrator\Start Menu\Programs\SpyAxe\SpyAxe 3.0.lnk
- C:\Documents and Settings\Administrator\Start Menu\Programs\SpyAxe\Uninstall SpyAxe 3.0.lnk
- C:\Documents and Settings\Administrator\Start Menu\SpyAxe 3.0.lnk
- %ProgramFiles%\SpyAxe
- %ProgramFiles%\SpyAxe\Lang
- %ProgramFiles%\SpyAxe\Lang\English.ini
- %ProgramFiles%\SpyAxe\Quarantine
- %ProgramFiles%\SpyAxe\SpyAxe.exe
- %ProgramFiles%\SpyAxe\SpyAxe.url
- %ProgramFiles%\SpyAxe\msvcp71.dll
- %ProgramFiles%\SpyAxe\msvcr71.dll
- %ProgramFiles%\SpyAxe\signatures.ref
- %ProgramFiles%\SpyAxe\uninst.exe
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\spyaxe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyAxe
HKEY_LOCAL_MACHINE\Software\SpyAxe
HKEY_CURRENT_USER\AppID\SpyAxe.EXE
HKEY_CURRENT_USER\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5}
HKEY_CURRENT_USER\CLSID\{957BAB51-81FF-8195-F273-D7E286EA702F}
HKEY_CURRENT_USER\Interface\{0F68A8AA-A9A8-4711-BE36-AE363EFA6443}
HKEY_CURRENT_USER\Interface\{28420952-C82B-47D9-A042-FA2217D8A082}
HKEY_CURRENT_USER\Interface\{3C099C83-8587-4B35-8AF0-FC3A169CE14F}
HKEY_CURRENT_USER\Interface\{3FE13F31-E890-4C37-8213-4B5F9A511C26}
HKEY_CURRENT_USER\Interface\{4CAD27DC-1B60-42F4-820E-316FE0A13512}
HKEY_CURRENT_USER\Interface\{54874D12-C0C6-44CC-83FB-2C35202F881B}
HKEY_CURRENT_USER\Interface\{54A3200B-D76E-48D1-B35C-D87EAF6D90BD}
HKEY_CURRENT_USER\Interface\{663DFE59-032C-46FB-A09A-FFC2DC074F54}
HKEY_CURRENT_USER\Interface\{69CE4FBC-4861-4206-8211-DD5A9EE79AD3}
HKEY_CURRENT_USER\Interface\{AFA9056F-AA11-4771-AE01-04ECFDE18206}
HKEY_CURRENT_USER\Interface\{B8F2487F-AA6A-4914-9A3F-DB84E6868D66}
HKEY_CURRENT_USER\Interface\{E4645720-E02F-4BB2-8E6D-BE7653DD1BF2}
HKEY_CURRENT_USER\Interface\{FA46B160-C9DD-4040-B9D9-CCF5D3DB5438}
HKEY_CURRENT_USER\Interface\{FC1F0C2C-8117-427D-816C-215B68524F74}
HKEY_CURRENT_USER\Interface\{FD1EEE96-8DC7-478D-BE3B-7D06AC67FB66}
HKEY_CURRENT_USER\Interface\{FD8E5ED7-0091-416F-A55B-1D072D58A24F}
HKEY_CURRENT_USER\TypeLib\{2BB3BCBF-411A-4C67-8E69-F4BB301DC333}
- Adds the value:
"SpyAxe" = "%ProgramFiles%\SpyAxe\spyaxe.exe /h"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the risk is executed every time Windows starts.
- Adds the values:
"{04FBD2E52B24702B5}" = "56 3E A8 0E 0B A2 A7 A6 ..."
"{I4FBD2E52B24702B5}" = "04 00 00 00 "
"{K7C0DB872A3F777C0}" = "7C 38 E7 81 FB 09 1F FF ..."
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Licenses
Note: These registry entries may be used by legitimate programs.
- Adds the value:
"TrapPollTimeMilliSecs" = "3A98"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
