1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Conspy Activity

HTTP Conspy Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects Adare.Conspy communicating and requesting information from its controlling server.

Additional Information

When Adware.Conspy is executed, it performs the following actions:

1. Copies itself to %Windir%.

Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Attempts to add the values:
* "Quicken"="%Windir%\Waol.exe"
* "Editpad"="%Windir%\Editpad.exe"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

3. Attempts to contact the server, conf.conspy.com, to download the updates and configuration files.
The web addresses it accesses include:
* http://conf.conspy.com/quicken_update.php
* http://conf.conspy.com/winrar_update.php
* http://conf.conspy.com/popset.php
* http://conf.conspy.com/waol.exe
* http://conf.conspy.com/editpad.exe
* http://conf.conspy.com/editpad.rsf.php
* http://conf.conspy.com/resource_update.php

4. If it fails to contact the server, it will wait 60 seconds and then try again.

5. Takes a web address from a decryption of editpad.rsf.php.

6. Adds links to Internet Explorer's "Favorites." These URLs are taken from the decryption of editpad.rsf.php.

7. Adds the value:

"Search Page" = "<URL decrypted from editpad.rsf.php>"

to the registry key:

HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

8. Adds the value:

"Search Bar" = "<URL decrypted from editpad.rsf.php>"

to the registry key:

HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

9. Adds the value:

"Start Page" = "<URL decrypted from editpad.rsf.php>"

to the registry key:

HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

10. Adds the value:

"SearchURL" = "<URL decrypted from editpad.rsf.php>"

to the registry key:

HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\

11. Adds the value:

"SearchAssistant" = "<URL decrypted from editpad.rsf.php>"

to the registry key:

HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Search\

Affected

  • Windows 2000
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

1. Update the definitions.
2. Run a full system scan and delete all the files detected as Adware.IEDriver.
3. Delete the values that were added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube