1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpyLocked Activity

HTTP SpyLocked Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects SpyLocked communicating and requesting information from its controlling server.

Additional Information

When the program is executed, it creates the following files:

* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\blacklist.txt
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\lang\english.ini
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\logs
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\msvcp71.dll
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\msvcr71.dll
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\sl.dat
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\sl.dat.old
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\[THREAT NAME] [THREAT VERSION].exe
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\[THREAT NAME] .url
* %ProgramFiles%\[THREAT NAME] [THREAT VERSION]\uninst.exe
* %UserProfile%\Application Data\Microsoft\Internet Explorer\quick launch\[THREAT NAME] [THREAT VERSION].lnk
* %UserProfile%\Desktop\[THREAT NAME] [THREAT VERSION].lnk
* %USERPROFILE%\local settings\temp\sllanguage.ini
* %UserProfile%\Start Menu\Programs\[THREAT NAME] [THREAT VERSION]\[THREAT NAME] [THREAT VERSION] website.lnk
* %UserProfile%\Start Menu\Programs\[THREAT NAME] [THREAT VERSION]\[THREAT NAME] [THREAT VERSION].lnk
* %UserProfile%\Start Menu\Programs\[THREAT NAME] [THREAT VERSION]\uninstall [THREAT NAME] [THREAT VERSION].lnk
* %UserProfile%\Start Menu\[THREAT NAME] [THREAT VERSION].lnk



Where [THREAT VERSION] can be 3.1, 3.5, 3.6, 3.7, 3.9, or an empty string and [THREAT NAME] can be one of the following:
Spylocked
SpywareLocked

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\"[THREAT NAME] [THREAT VERSION]" = "C:\Program Files\[THREAT NAME] [THREAT VERSION]\[THREAT NAME] [THREAT VERSION].exe"

The program then creates the following registry subkeys:
HKEY_CLASSES_ROOT\clsid\{0b847a1a-a872-95fc-8e22-f8b4ae044657}
HKEY_CLASSES_ROOT\clsid\{d06e2eae-1922-4a0b-6a7c-8d9e3de0e708}
HKEY_CLASSES_ROOT\interface\{02743820-2e7c-42c6-b60c-726d67379edb}
HKEY_CLASSES_ROOT\interface\{3d8286f5-9606-46c5-89d8-9b6379877732}
HKEY_CLASSES_ROOT\interface\{521c4c7e-d2cf-4eb1-a078-6e126269e0ad}
HKEY_CLASSES_ROOT\interface\{67e054fa-0f1e-4af8-899b-0b52660d7043}
HKEY_CLASSES_ROOT\interface\{697c34c8-bbac-418c-999a-a5525f4ff8c3}
HKEY_CLASSES_ROOT\interface\{711c2540-aa7d-4c40-a8c0-9b1bc920378d}
HKEY_CLASSES_ROOT\interface\{80a2bfbd-7906-48ef-9f76-49b9f822393b}
HKEY_CLASSES_ROOT\interface\{87a8c087-37c2-40c4-9cdf-97437a9f54ba}
HKEY_CLASSES_ROOT\interface\{8ed3825e-77a7-41d4-bdcb-fd8cc2b0d183}
HKEY_CLASSES_ROOT\interface\{a2e56d03-930a-4bbf-8c8e-4d63d15f88ee}
HKEY_CLASSES_ROOT\interface\{abae0daf-a6ba-481f-b3ba-0666d0d1b2eb}
HKEY_CLASSES_ROOT\interface\{b5b6aa2c-f0c7-44b9-a861-261958ecd0b8}
HKEY_CLASSES_ROOT\interface\{bd8c66a5-617b-4abf-b56d-f547597fe0fa}
HKEY_CLASSES_ROOT\interface\{d675fd26-7200-466f-a380-182fe49af8aa}
HKEY_CLASSES_ROOT\interface\{d8073d3d-d957-45be-82ca-bb44fd0e9c4b}
HKEY_CLASSES_ROOT\interface\{ef906cf9-6eeb-4626-9a17-2e48c11d2995}
HKEY_CLASSES_ROOT\interface\{062bc936-7ce4-421c-944e-bd388ec91c86}
HKEY_CLASSES_ROOT\interface\{22f1a770-b823-48d4-8693-b953902a06ef}
HKEY_CLASSES_ROOT\interface\{3a7a14fd-7fec-48cf-a06f-210344de6e75}
HKEY_CLASSES_ROOT\interface\{41e4adcd-ccc2-4da0-97c3-83051a4c35f1}
HKEY_CLASSES_ROOT\interface\{54d2d4fc-914c-432c-b638-599f48d77a08}
HKEY_CLASSES_ROOT\interface\{6f342c0c-ef49-49e2-b3f1-fe28f193b974}
HKEY_CLASSES_ROOT\interface\{6f61b413-1dfe-4c4c-8cd4-b97be0b17504}
HKEY_CLASSES_ROOT\interface\{764ce36a-c778-42a8-b3b2-4b09a4b10469}
HKEY_CLASSES_ROOT\interface\{87ea76c9-411e-44d0-8270-ea2df3941133}
HKEY_CLASSES_ROOT\interface\{94792c8e-6fe0-462c-9d20-ad560608dda1}
HKEY_CLASSES_ROOT\interface\{99eaef8c-652d-407c-8319-781a2bb30ff7}
HKEY_CLASSES_ROOT\interface\{a392d107-afbf-4e1b-8092-db508bc890a5}
HKEY_CLASSES_ROOT\interface\{ad2aa1cd-22ff-4562-a616-1c64a42985bb}
HKEY_CLASSES_ROOT\interface\{c2d197c9-8570-4ac8-a121-92f9a8ccd857}
HKEY_CLASSES_ROOT\interface\{cbccb1d8-ab10-4b4c-9982-a8dea99f3111}
HKEY_CLASSES_ROOT\interface\{f198a883-6bcf-4b94-a890-d8ed007fbcf7}
HKEY_CLASSES_ROOT\interface\{2c5b5226-045d-4a46-b4fc-228b0891feec}
HKEY_CLASSES_ROOT\interface\{314120e4-5a05-492c-9bf2-22558cf0f202}
HKEY_CLASSES_ROOT\interface\{392d4a36-6adf-4a99-a820-3014a53e62e3}
HKEY_CLASSES_ROOT\interface\{3bf6c840-4d12-4fb5-88a2-e2bc03461dc2}
HKEY_CLASSES_ROOT\interface\{42f16135-d0a4-43a2-990c-27fcabd9c19f}
HKEY_CLASSES_ROOT\interface\{43df1cee-70b3-4e2d-a740-4ac468786207}
HKEY_CLASSES_ROOT\interface\{4d31cca1-c42b-4796-851f-ca8ed4cd2a7e}
HKEY_CLASSES_ROOT\interface\{5ca1a9f6-10f8-4008-b884-755b25b6848a}
HKEY_CLASSES_ROOT\interface\{630cbf61-54cc-4ac3-97b0-d4071345807c}
HKEY_CLASSES_ROOT\interface\{6afb5b8e-acfd-4489-91b3-daa1388a31ec}
HKEY_CLASSES_ROOT\interface\{815b01a0-bf97-41e9-acf2-32b76f98a960}
HKEY_CLASSES_ROOT\interface\{c5bf4465-5322-462f-b41f-459f649f3996}
HKEY_CLASSES_ROOT\interface\{e4703cf2-7f82-4ad7-b317-8ec1cbc9b619}
HKEY_CLASSES_ROOT\interface\{e9817993-83ff-4343-b14e-6cdfb378b21d}
HKEY_CLASSES_ROOT\interface\{ede2a2b4-b1cb-4bf8-93d1-154e49284a71}
HKEY_CLASSES_ROOT\interface\{f5d23930-23c6-440e-ab55-d019e1171539}
HKEY_CLASSES_ROOT\interface\{05436423-e2da-4307-aee4-275c2522d4dd}
HKEY_CLASSES_ROOT\interface\{17a868cd-c8b9-4a46-8224-85e4d81cd764}
HKEY_CLASSES_ROOT\interface\{3037b797-a390-4dcd-bca6-272815fc4265}
HKEY_CLASSES_ROOT\interface\{4470c18e-1ef2-453c-bec1-1745d781bcab}
HKEY_CLASSES_ROOT\interface\{52bf24cf-8378-42b4-8962-135cfb6c4f77}
HKEY_CLASSES_ROOT\interface\{680fa31f-43bc-47da-9405-a0d1b1c1151b}
HKEY_CLASSES_ROOT\interface\{6ebb57f2-b416-4f76-9384-a8f669ff60e4}
HKEY_CLASSES_ROOT\interface\{8262777c-7176-4a9c-a8a6-d0c4aeb467b6}
HKEY_CLASSES_ROOT\interface\{8afc508b-6b96-479c-a1ac-848eb3f4efde}
HKEY_CLASSES_ROOT\interface\{8b7e3c69-4a2e-4f48-b690-47beeef16ff5}
HKEY_CLASSES_ROOT\interface\{9309bdc4-952b-4146-8303-2fda3f5b218f}
HKEY_CLASSES_ROOT\interface\{b3250c2d-c398-4ec9-8a79-85bcf65f6608}
HKEY_CLASSES_ROOT\interface\{d237bd03-5808-4b64-942d-6746fe50ee66}
HKEY_CLASSES_ROOT\interface\{d8cd0d4f-47b6-4499-af5a-48446972e058}
HKEY_CLASSES_ROOT\interface\{deb82bf1-47bb-4863-b85c-77363d3c37d5}
HKEY_CLASSES_ROOT\interface\{eae9695a-b942-4c07-b94f-7cfbe3f35a37}
HKEY_CLASSES_ROOT\interface\{05061fbd-4124-4eae-befe-b844303a2d74}
HKEY_CLASSES_ROOT\interface\{0d0e7125-9728-40ac-9fc1-ca3c26a0e9ac}
HKEY_CLASSES_ROOT\interface\{17da0ada-d080-476a-8a32-29961b3145da}
HKEY_CLASSES_ROOT\interface\{27e4b73f-3c78-4463-888d-ae36c6f3abfc}
HKEY_CLASSES_ROOT\interface\{3eec58b4-fe87-4885-ae8a-b19e7454bd03}
HKEY_CLASSES_ROOT\interface\{3f0b05b7-fd07-43a3-82ca-8dd6c75363d7}
HKEY_CLASSES_ROOT\interface\{4edb0354-f87d-4c60-b5f8-b09d30247bf3}
HKEY_CLASSES_ROOT\interface\{62ddee51-44c6-44f9-b8cc-cc85c7bdd54d}
HKEY_CLASSES_ROOT\interface\{71fbb0ff-3295-4435-966d-c966dc86dc18}
HKEY_CLASSES_ROOT\interface\{7578be5c-0f58-4914-a8e4-6446a94fa82b}
HKEY_CLASSES_ROOT\interface\{8b317816-b6cd-4f56-88d8-02fa916c5c54}
HKEY_CLASSES_ROOT\interface\{9af243af-0fbf-4fd8-9d12-0442be49d64b}
HKEY_CLASSES_ROOT\interface\{9d01bc12-d61a-4828-aa88-a4fffc393c0d}
HKEY_CLASSES_ROOT\interface\{a8870adf-5e61-44b9-a443-439bc30ce341}
HKEY_CLASSES_ROOT\interface\{d8f9e49e-80be-4bd8-8efe-3124228105dc}
HKEY_CLASSES_ROOT\interface\{e92e6f2d-2ca1-4b39-bbaa-d685f4a0fb40}
HKEY_CLASSES_ROOT\typelib\{1e033191-2d29-4e24-89e9-1dd85ea75078}
HKEY_CLASSES_ROOT\typelib\{27b1ded9-7493-4204-afce-9afd4b7fc662}
HKEY_CLASSES_ROOT\typelib\{50450f27-b90b-422b-a4c9-5ec5a5b78001}
HKEY_CLASSES_ROOT\typelib\{2da226f0-fe43-4f80-a94a-1848039de0dd}
HKEY_CLASSES_ROOT\typelib\{5a74e275-351b-4072-8f0b-cbe2b7231b37}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\app paths\[THREAT NAME] [THREAT VERSION].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\[THREAT NAME] [THREAT VERSION]
HKEY_LOCAL_MACHINE\SOFTWARE\[THREAT NAME] [THREAT VERSION]
HKEY_LOCAL_MACHINE\software\licenses

Where [THREAT VERSION] can be 3.1, 3.5, 3.6, 3.7, 3.9, or an empty string and [THREAT NAME] can be one of the following:
Spylocked
SpywareLocked

Next, the program may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube