1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Surfcomp Activity

HTTP Surfcomp Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detect Spyware.Surfcomp communicating and requesting information from its controlling server.

Additional Information

When the Spyware.Surfcomp file is registered, it performs the following actions:

1. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{4145B998-6511-46de-A873-FD1DBD053164}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{ADABA402-85CD-4037-BC74-F4AAA8C7429C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{C776869F-7C58-4778-9F55-8A78B6EC7D28}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin.SPlugin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Plugin.SPlugin.1\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4145B998-6511-46de-A873-FD1DBD053164}
HKEY_CURRENT_USER\Software\SurfPlugin

2. Sends the Operating System version and location of the compromised computer to [http://]www.updatehq.net/[REMOVED].

3. Monitors Internet Explorer, and logs URLs visited in the file site.tmp. It may then periodically send the list of URLs to [http://]www.updatehq.net/[REMOVED].

Affected

  • Windows 2000
  • Windows 64-bit (AMD64)
  • Windows 64-bit (IA64)
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube