1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AntiSpyZone Activity

HTTP AntiSpyZone Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects SecurityRisk.AntiSpyZone communicating and requesting information from its controlling server.

Additional Information

When the program is executed, it creates the following files:

* %ProgramFiles%\[THREAT DIRECTORY]\antispyzone [THREAT VERSION].exe
* %ProgramFiles%\[THREAT DIRECTORY]\antispyzone 4.6.url
* %ProgramFiles%\[THREAT DIRECTORY]\aszone.dat
* %ProgramFiles%\[THREAT DIRECTORY]\blacklist.txt
* %ProgramFiles%\[THREAT DIRECTORY]\lang
* %ProgramFiles%\[THREAT DIRECTORY]\lang\english.ini
* %ProgramFiles%\[THREAT DIRECTORY]\logs
* %ProgramFiles%\[THREAT DIRECTORY]\msvcp71.dll
* %ProgramFiles%\[THREAT DIRECTORY]\msvcr71.dll
* %ProgramFiles%\[THREAT DIRECTORY]\uninst.exe
* %UserProfile%\Application Data\microsoft\internet explorer\quick launch\antispyzone [THREAT VERSION].lnk
* %UserProfile%\Desktop\antispyzone [THREAT VERSION].lnk
* %UserProfile%\Start Menu\Programs\antispyzone [THREAT VERSION]\antispyzone [THREAT VERSION] website.lnk
* %UserProfile%\Start Menu\Programs\antispyzone [THREAT VERSION]\antispyzone [THREAT VERSION].lnk
* %UserProfile%\Start Menu\Programs\antispyzone [THREAT VERSION]\uninstall antispyzone [THREAT VERSION].lnk
* %UserProfile%\Start Menu\antispyzone [THREAT VERSION].lnk
* %UserProfile%\local settings\temp\aszlanguage.ini
* %UserProfile%\local settings\temp\aszone.dat



Where [THREAT DIRECTORY] can be one of the following:
antispyzone 4.6
antispyzone 4.9
az\antispyzone 4.5

and [THREAT VERSION] can be 4.5, 4.6 or 4.9

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\"antispyzone [THREAT VERSION]" = "ProgramFiles\[THREAT DIRECTORY]\antispyzone [THREAT VERSION].exe"

The program also creates the following registry subkeys:
HKEY_CLASSES_ROOT\clsid\{a4591ab7-7bdd-791c-c9a2-a44d727fd102}
HKEY_CLASSES_ROOT\interface\{081a69ac-4076-4445-b929-717a345197de}
HKEY_CLASSES_ROOT\interface\{0db204c3-846b-4585-8f0d-12a9dbf4652f}
HKEY_CLASSES_ROOT\interface\{18c6eff0-9a46-47de-ac4d-8d41d550b35b}
HKEY_CLASSES_ROOT\interface\{2a895b3a-432f-478d-99e4-7c5888b9f60b}
HKEY_CLASSES_ROOT\interface\{2af5f685-a020-4c32-acb4-0775acaa726d}
HKEY_CLASSES_ROOT\interface\{3110b2b8-3cef-479a-a170-36cf1bd5c2d0}
HKEY_CLASSES_ROOT\interface\{31e578da-db12-4b21-8c84-ee0bb155bccf}
HKEY_CLASSES_ROOT\interface\{341fde82-84bb-4ff2-9ff7-42436f9b000b}
HKEY_CLASSES_ROOT\interface\{35dfd15c-20a3-4b9a-8074-9a5cb42cfaca}
HKEY_CLASSES_ROOT\interface\{39a12f82-970b-473c-a873-e30010c30c13}
HKEY_CLASSES_ROOT\interface\{4374734d-e189-4a01-894c-a8e410f06d75}
HKEY_CLASSES_ROOT\interface\{4440c928-46f1-49c5-b3fc-86e9577215b0}
HKEY_CLASSES_ROOT\interface\{44b81fd0-d641-486f-adb6-a5c94fd78a4b}
HKEY_CLASSES_ROOT\interface\{47f75d3d-18c4-4c1e-a5e1-07c82cd6d314}
HKEY_CLASSES_ROOT\interface\{48ab5840-bd96-40be-ad08-c7bdd8a99fb8}
HKEY_CLASSES_ROOT\interface\{51b6c6b8-f9de-4874-8890-8c051857946b}
HKEY_CLASSES_ROOT\interface\{56538e2e-4786-48f4-a217-3564614302a0}
HKEY_CLASSES_ROOT\interface\{577ff186-8a1a-4b60-ab67-33d5786a0d30}
HKEY_CLASSES_ROOT\interface\{5b629edf-20cf-4a29-ae73-f7dfb1cb0802}
HKEY_CLASSES_ROOT\interface\{684cd8bc-f21a-4bc3-b3e2-82cbd3947eac}
HKEY_CLASSES_ROOT\interface\{6893f6e0-6242-449f-9e1e-bd4a6316cef6}
HKEY_CLASSES_ROOT\interface\{69b2dfed-db60-4ec8-adea-2510920054c5}
HKEY_CLASSES_ROOT\interface\{6afeae7f-c7a2-4f05-b26e-f950c4879a81}
HKEY_CLASSES_ROOT\interface\{6b0edc3a-c29f-4389-84cd-f228e7e9639b}
HKEY_CLASSES_ROOT\interface\{6f3490cf-9f42-4197-b3b7-1ebc0e891829}
HKEY_CLASSES_ROOT\interface\{75d606d3-e322-4e29-8c1c-485f0dfc56ee}
HKEY_CLASSES_ROOT\interface\{79c0464e-485e-42c5-b9dc-b2f7dd117e11}
HKEY_CLASSES_ROOT\interface\{7a738d1f-8b06-41eb-b327-16660e0b6e64}
HKEY_CLASSES_ROOT\interface\{8009c188-067b-4167-87d7-c6f9f74a91f7}
HKEY_CLASSES_ROOT\interface\{9402ca68-4ce1-4ce6-91eb-95853a32f355}
HKEY_CLASSES_ROOT\interface\{958095d6-b6c0-4fdc-9800-8c3d8657844f}
HKEY_CLASSES_ROOT\interface\{9982a17f-7ded-43b6-821e-817bedf1381e}
HKEY_CLASSES_ROOT\interface\{9ad5d1b8-71c0-41d0-8315-e827926b3628}
HKEY_CLASSES_ROOT\interface\{bbf4c3ec-4901-4194-a2fd-cd859d9b2698}
HKEY_CLASSES_ROOT\interface\{bef96896-ede0-40c8-9036-64284b7b8738}
HKEY_CLASSES_ROOT\interface\{c1f4c8dd-7d29-4b5c-a9bb-857ff92e085e}
HKEY_CLASSES_ROOT\interface\{c3c1c7a3-ad38-4f9f-8bcd-c73e3c85e79b}
HKEY_CLASSES_ROOT\interface\{ca679db4-4c3f-460f-ae24-a49d78d72c6a}
HKEY_CLASSES_ROOT\interface\{d30a5825-8cb1-4ba0-8d50-669f391dd93a}
HKEY_CLASSES_ROOT\interface\{d41b41d3-2aef-4413-bd7d-d09535b4b642}
HKEY_CLASSES_ROOT\interface\{da50098c-37d3-47a3-977c-b093cdc99630}
HKEY_CLASSES_ROOT\interface\{dd67b31d-6d7f-45f7-883e-e713e11c99b8}
HKEY_CLASSES_ROOT\interface\{dfd0f9e2-d2e9-4c18-9ac8-3bd5475932a9}
HKEY_CLASSES_ROOT\interface\{e281dd06-0e2c-4366-96cc-9ac69c2d7708}
HKEY_CLASSES_ROOT\interface\{e5122f58-8d45-4281-b92e-f5d17bcdddce}
HKEY_CLASSES_ROOT\interface\{f2c583b5-65bc-45e9-b49b-17ca06f358c2}
HKEY_CLASSES_ROOT\interface\{f9a74184-345e-4d66-8178-6695f866e461}
HKEY_CLASSES_ROOT\interface\{fd55f9f1-ab5f-4f18-a274-d0aae138e123}
HKEY_CLASSES_ROOT\typelib\{2784d535-7c78-44b7-9f88-89c25ce19cee}
HKEY_CLASSES_ROOT\typelib\{6c04136a-2061-4164-8137-c64e695c828b}
HKEY_CLASSES_ROOT\typelib\{ac91c7bb-4f2a-4e02-a8c6-950eb6c31423}
HKEY_LOCAL_MACHINE\software\antispyzone [THREAT VERSION]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\app paths\antispyzone [THREAT VERSION].exe [THREAT VERSION]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\antispyzone [THREAT VERSION]
HKEY_LOCAL_MACHINE\software\licenses

Where [THREAT DIRECTORY] can be one of the following:
antispyzone 4.6
antispyzone 4.9
az\antispyzone 4.5

and [THREAT VERSION] can be 4.5, 4.6 or 4.9

Next, the program may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube