||||
Symantec.com > Security Response > Threats and Risks > SpyFalcon
PRINT THIS PAGE

SpyFalcon

Printer Friendly Page

Updated: February 13, 2007 11:48:43 AM
Type: Misleading Application
Infection Length: 2920485 Bytes;2929629 Bytes
Risk Impact: Medium
File Names: sfsetup.exe 1.exe


When SpyFalcon is installed, it performs the following actions:
  1. Creates the following folders:

    • %ProgramFiles%\SpyFalcon
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 2.0.lnk
    • C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 3.1.lnk
    • C:\Documents and Settings\Administrator\Desktop\SpyFalcon.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0 Website.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 3.1 Website.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 3.1.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\Uninstall SpyFalcon 2.0.lnk
    • C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\Uninstall SpyFalcon 3.1.lnk
    • C:\Documents and Settings\Administrator\Start Menu\SpyFalcon 2.0.lnk
    • C:\Documents and Settings\Administrator\Start Menu\SpyFalcon 3.1.lnk
    • %ProgramFiles%\SpyFalcon\blacklist.txt
    • %ProgramFiles%\SpyFalcon\Lang\English.ini
    • %ProgramFiles%\SpyFalcon\msvcp71.dll
    • %ProgramFiles%\SpyFalcon\msvcr71.dll
    • %ProgramFiles%\SpyFalcon\SpyFalcon.exe
    • %ProgramFiles%\SpyFalcon\SpyFalcon.url
    • %ProgramFiles%\SpyFalcon\syg.db
    • %ProgramFiles%\SpyFalcon\uninst.exe
    • %ProgramFiles%\SpyFalcon\sf.ini
    • %Temp%\SFLanguage.ini

      Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\spyaxe.exe
    HKEY_CLASSES_ROOT\CLSID\{008E3200-28EB-463b-9B58-75C23D80911A}
    HKEY_CLASSES_ROOT\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}
    HKEY_CLASSES_ROOT\Interface\{001501E7-C970-4CB1-9740-E055BF3DDFD6}
    HKEY_CLASSES_ROOT\Interface\{0CBD1CBA-E034-4287-9B49-5F2912E1D33B}
    HKEY_CLASSES_ROOT\Interface\{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}
    HKEY_CLASSES_ROOT\Interface\{163469FD-6009-48E2-AD8C-47BB2E0D88BE}
    HKEY_CLASSES_ROOT\Interface\{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}
    HKEY_CLASSES_ROOT\Interface\{18575620-E41D-4204-BF6F-964069D80F45}
    HKEY_CLASSES_ROOT\Interface\{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}
    HKEY_CLASSES_ROOT\Interface\{20C59F9F-33CB-4B1B-AFB6-B710DB845709}
    HKEY_CLASSES_ROOT\Interface\{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}
    HKEY_CLASSES_ROOT\Interface\{255CDDA3-576B-44C9-B944-46EAC18D5D6F}
    HKEY_CLASSES_ROOT\Interface\{3261F690-1CA4-4839-928B-F4F898B74EB7}
    HKEY_CLASSES_ROOT\Interface\{37B9988B-1997-41F4-A832-DAE42CC3F7C2}
    HKEY_CLASSES_ROOT\Interface\{4B860BE9-5B96-4443-9714-6ACD89989D1E}
    HKEY_CLASSES_ROOT\Interface\{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}
    HKEY_CLASSES_ROOT\Interface\{5796859D-53C4-46C1-AD6F-2A3C4D4306EB}
    HKEY_CLASSES_ROOT\Interface\{597892CA-A878-4A04-978F-DBA8DC2BB2FB}
    HKEY_CLASSES_ROOT\Interface\{673A88D4-C0E0-40D2-9B93-AE39D9A1675F}
    HKEY_CLASSES_ROOT\Interface\{6876543E-DA55-4F90-9CD2-5ED380D9516C}
    HKEY_CLASSES_ROOT\Interface\{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}
    HKEY_CLASSES_ROOT\Interface\{7CC220DA-D962-4935-AD3A-21F7CA4962E3}
    HKEY_CLASSES_ROOT\Interface\{850300D6-D53B-4720-9372-6D31B85537E1}
    HKEY_CLASSES_ROOT\Interface\{8C803228-BD61-4744-8B79-949E3F512DDC}
    HKEY_CLASSES_ROOT\Interface\{9DD57F95-DA3A-4EDA-9475-27CCF366A4FD}
    HKEY_CLASSES_ROOT\Interface\{B4D9C59B-A091-4D79-90CC-DD92F3BACF63}
    HKEY_CLASSES_ROOT\Interface\{B7C685F0-1804-4382-A8EF-17D33DF97069}
    HKEY_CLASSES_ROOT\Interface\{B8F90F00-CF78-4431-A13F-58B979F7EE20}
    HKEY_CLASSES_ROOT\Interface\{CDEB1FD8-0917-40A2-B915-8FB9D7FDD75C}
    HKEY_CLASSES_ROOT\Interface\{CF277F5A-347E-40C2-BAF0-4F09D0607041}
    HKEY_CLASSES_ROOT\Interface\{D5DE421A-4AA5-4FE3-AA43-7D2A87D6267F}
    HKEY_CLASSES_ROOT\Interface\{DD2D402A-DE41-47A6-AAC9-0D756776203E}
    HKEY_CLASSES_ROOT\Interface\{E2F430FD-3062-4808-B23F-4B322BFED93F}
    HKEY_CLASSES_ROOT\Interface\{E9B91E0C-305A-4DD2-9987-B3B0C254C6DE}
    HKEY_CLASSES_ROOT\Interface\{EFD28371-A165-4873-A158-421D208FFE5A}
    HKEY_CLASSES_ROOT\SpyFalcon.PopupBlockerConnector
    HKEY_CLASSES_ROOT\SpyFalcon.PopupBlockerConnector.1
    HKEY_CLASSES_ROOT\TypeLib\{244B730E-D899-4E38-9428-03D1143242E0}
    HKEY_CLASSES_ROOT\TypeLib\{B4E17829-DACB-4320-9ABF-DCB382221FC2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyFalcon.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon
    HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon

  4. Adds the value:

    "SpyFalcon" = "%ProgramFiles%\SpyFalcon\SpyFalcon.exe /h"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it is executed every time Windows starts.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS