1. /
  2. Security Response/
  3. SpywareStrike

SpywareStrike

Updated:
February 13, 2007 11:47:37 AM
Type:
Misleading Application
Risk Impact:
Medium
File Names:
ss_setup.exe spywarestrike.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When SpywareStrike is executed, it performs the following actions:
  1. Creates the following folder:

    %ProgramFiles%\SpywareStrike

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareStrike 2.5.lnk
    • %UserProfile%\Desktop\SpywareStrike.lnk
    • %UserProfile%\Start Menu\Programs\SpywareStrike
    • %UserProfile%\Start Menu\Programs\SpywareStrike\SpywareStrike 2.5 Website.lnk
    • %UserProfile%\Start Menu\Programs\SpywareStrike\SpywareStrike 2.5.lnk
    • %UserProfile%\Start Menu\Programs\SpywareStrike\Uninstall SpywareStrike 2.5.lnk
    • %UserProfile%\Start Menu\SpywareStrike 2.5.lnk
    • %ProgramFiles%\SpywareStrike\Lang\English.ini
    • %ProgramFiles%\SpywareStrike\Quarantine
    • %ProgramFiles%\SpywareStrike\SpywareStrike.exe
    • %ProgramFiles%\SpywareStrike\SpywareStrike.url
    • %ProgramFiles%\SpywareStrike\msvcp71.dll
    • %ProgramFiles%\SpywareStrike\msvcr71.dll
    • %ProgramFiles%\SpywareStrike\signatures.ref
    • %ProgramFiles%\SpywareStrike\uninst.exe

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\SpywareStrike.EXE
    HKEY_CLASSES_ROOT\TypeLib\{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareStrike.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStrike
    HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStrike
    HKEY_CLASSES_ROOT\Interface\{2C15CDEA-3EF4-4405-90B0-19A1389B36ED}
    HKEY_CLASSES_ROOT\Interface\{3115A433-3FA0-483B-AB01-2A61C951FE58}
    HKEY_CLASSES_ROOT\Interface\{51FEFA9C-1D5A-41C4-81FE-8C0FBE9254F0}
    HKEY_CLASSES_ROOT\Interface\{5CCC8D01-9F75-4F07-9ACF-DEB314176C79}
    HKEY_CLASSES_ROOT\Interface\{5E7BF614-960B-4A1F-9236-9EC01AC4C5E2}
    HKEY_CLASSES_ROOT\Interface\{66F0AC1C-DED5-4965-9E31-39788DF1B264}
    HKEY_CLASSES_ROOT\Interface\{849E056A-D67A-431E-9370-2275F26D39B5}
    HKEY_CLASSES_ROOT\Interface\{8B7AFBFD-631C-45BA-9145-F059EB58DD73}
    HKEY_CLASSES_ROOT\Interface\{AFEB8519-0B8B-4023-8C15-FFB17D5225F9}
    HKEY_CLASSES_ROOT\Interface\{BA9CC151-4581-438E-94AF-4C703201B7CA}
    HKEY_CLASSES_ROOT\Interface\{BC74C336-FF2C-40C9-AD4E-3772C208406B}
    HKEY_CLASSES_ROOT\Interface\{BDF00F24-A571-4392-95EC-04FDFF82A82C}
    HKEY_CLASSES_ROOT\Interface\{C4E953E6-770E-4F59-A5E3-43E9F0D682E2}
    HKEY_CLASSES_ROOT\Interface\{E0105E7C-D0C4-4DEA-AA21-B02F2960ECAF}
    HKEY_CLASSES_ROOT\Interface\{ED39CB7C-1BF6-429B-A275-F183B4A3EFCB}
    HKEY_CLASSES_ROOT\Interface\{F23AA637-31D5-4526-B5C6-9FF89E16202C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5}


  4. Adds the value:

    "SpywareStrike" = "%ProgramFiles%\SpywareStrike\SpywareStrike.exe /h"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk is executed every time Windows starts.

  5. Adds the values:

    "{0A4AF3E9A644EE5C8}" = "56 3E A8 0E 0B A2 A7 A6 ..."
    "{IA4AF3E9A644EE5C8}" = "06 00 00 00"
    "{K7C0DB872A3F777C0}" = "1F 0A C9 7F FC 08 1F FF ..."

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

    Note: The above registry entires may be used by legitimate programs.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver