1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP ExpertAntivirus Activity

HTTP ExpertAntivirus Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detect ExpertAntivirus communicating and requesting information from its controlling server.

Additional Information

When the program is executed, it creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\ExpertAntivirus v4.1.lnk
* %UserProfile%\Desktop\ExpertAntivirus v4.1.lnk
* %UserProfile%\Start Menu\Programs\ExpertAntivirus\ExpertAntivirus v4.1 Un-Installer.lnk
* %UserProfile%\Start Menu\Programs\ExpertAntivirus\ExpertAntivirus v4.1 Website.lnk
* %UserProfile%\Start Menu\Programs\ExpertAntivirus\ExpertAntivirus v4.1.lnk
* %UserProfile%\Start Menu\ExpertAntivirus v4.1.lnk
* %ProgramFiles%\ExpertAntivirus\activex.db
* %ProgramFiles%\ExpertAntivirus\blacklist.db
* %ProgramFiles%\ExpertAntivirus\cookies.db
* %ProgramFiles%\ExpertAntivirus\DbgHelp.Dll
* %ProgramFiles%\ExpertAntivirus\ExpertAntivirus.EXE
* %ProgramFiles%\ExpertAntivirus\ExpertAntivirus.url
* %ProgramFiles%\ExpertAntivirus\extension.dll
* %ProgramFiles%\ExpertAntivirus\filesNames.db
* %ProgramFiles%\ExpertAntivirus\hosts.db
* %ProgramFiles%\ExpertAntivirus\knownLocations.db
* %ProgramFiles%\ExpertAntivirus\Languages\English.ini
* %ProgramFiles%\ExpertAntivirus\Logs\shield_activity-05012007-114307.log
* %ProgramFiles%\ExpertAntivirus\md5.db
* %ProgramFiles%\ExpertAntivirus\msvcp71.dll
* %ProgramFiles%\ExpertAntivirus\msvcr71.dll
* %ProgramFiles%\ExpertAntivirus\plugin.dll
* %ProgramFiles%\ExpertAntivirus\Plugins\DesktopManager\DesktopManager.dll
* %ProgramFiles%\ExpertAntivirus\Plugins\DesktopManager\Languages\English.ini
* %ProgramFiles%\ExpertAntivirus\Plugins\DesktopManager\Languages\Spanish.ini
* %ProgramFiles%\ExpertAntivirus\Plugins\StartupEditor\Languages\English.ini
* %ProgramFiles%\ExpertAntivirus\Plugins\StartupEditor\Languages\Spanish.ini
* %ProgramFiles%\ExpertAntivirus\Plugins\StartupEditor\StartupEditor.dll
* %ProgramFiles%\ExpertAntivirus\registry.db
* %ProgramFiles%\ExpertAntivirus\regsvr32.exe
* %ProgramFiles%\ExpertAntivirus\sdebug.log
* %ProgramFiles%\ExpertAntivirus\settings.ini
* %ProgramFiles%\ExpertAntivirus\SpamBlocker.dll
* %ProgramFiles%\ExpertAntivirus\spywareinfo.db
* %ProgramFiles%\ExpertAntivirus\tips.txt
* %ProgramFiles%\ExpertAntivirus\uninst.exe
* %Windir%\system\ext32inc.dll
* %Windir%\wincom137.dll



Next, it creates the following registry subkeys:
HKEY_ALL_USERS\Software\Microsoft\Office\Outlook\Addins\ExpertAntivirus.Addin.1
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\AdLoader
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Trace7
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Shell\1das
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Shell\1das\AdLoader
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Shell\dnl7
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Shell\dnl7\tracer
HKEY_CLASSES_ROOT\Ad-Protect.Server
HKEY_CLASSES_ROOT\Ad-Protect.Server.1
HKEY_CLASSES_ROOT\Ad-Protect.Server.1\CLSID
HKEY_CLASSES_ROOT\Ad-Protect.Server\CLSID
HKEY_CLASSES_ROOT\Ad-Protect.Server\CurVer
HKEY_CLASSES_ROOT\AppID\ad-protect.EXE
HKEY_CLASSES_ROOT\AppID\spamdet.DLL
HKEY_CLASSES_ROOT\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
HKEY_CLASSES_ROOT\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}
HKEY_CLASSES_ROOT\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}
HKEY_CLASSES_ROOT\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}\ProgID
HKEY_CLASSES_ROOT\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}\Programmable
HKEY_CLASSES_ROOT\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{16DD131D-C09F-4F83-A1E7-A2CF506EA27C}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{69EBF0DB-F6B5-4479-8352-AA632F522D34}
HKEY_CLASSES_ROOT\CLSID\{69EBF0DB-F6B5-4479-8352-AA632F522D34}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{69EBF0DB-F6B5-4479-8352-AA632F522D34}\ProgID
HKEY_CLASSES_ROOT\CLSID\{69EBF0DB-F6B5-4479-8352-AA632F522D34}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{69EBF0DB-F6B5-4479-8352-AA632F522D34}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}
HKEY_CLASSES_ROOT\CLSID\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\dnFbNoduRd
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\egfzaihulvy
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\ivlpksrbpHL
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\kdtpziAXhqfxR
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\lQjnfgzF
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\nxqqbovfiy
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\okDhFuoCc
HKEY_CLASSES_ROOT\CLSID\{9EC61371-C3B9-FCC1-EE6F-2E4E8D12DFFC}\tBdzrcaryk
HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}
HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}\ProgID
HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}\Programmable
HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}\TypeLib
HKEY_CLASSES_ROOT\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}\VersionIndependentProgID
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin.1
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin.1\CLSID
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin\CLSID
HKEY_CLASSES_ROOT\ExpertAntivirus.Addin\CurVer
HKEY_CLASSES_ROOT\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
HKEY_CLASSES_ROOT\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\TypeLib
HKEY_CLASSES_ROOT\Interface\{3E67E9DC-7294-44C3-BC99-EA6E29E74076}
HKEY_CLASSES_ROOT\Interface\{3E67E9DC-7294-44C3-BC99-EA6E29E74076}\NumMethods
HKEY_CLASSES_ROOT\Interface\{3E67E9DC-7294-44C3-BC99-EA6E29E74076}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}
HKEY_CLASSES_ROOT\Interface\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}\NumMethods
HKEY_CLASSES_ROOT\Interface\{7C1530BD-16B0-41A9-B428-17EE8CBD3E06}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{D59B2DD5-0609-4BDC-AB47-A9A28ABC482A}
HKEY_CLASSES_ROOT\Interface\{D59B2DD5-0609-4BDC-AB47-A9A28ABC482A}\NumMethods
HKEY_CLASSES_ROOT\Interface\{D59B2DD5-0609-4BDC-AB47-A9A28ABC482A}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{F82FD7D4-2EC8-40B3-A141-DE051C98DCE9}
HKEY_CLASSES_ROOT\Interface\{F82FD7D4-2EC8-40B3-A141-DE051C98DCE9}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{F82FD7D4-2EC8-40B3-A141-DE051C98DCE9}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{F82FD7D4-2EC8-40B3-A141-DE051C98DCE9}\TypeLib
HKEY_CLASSES_ROOT\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}
HKEY_CLASSES_ROOT\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}\1.0
HKEY_CLASSES_ROOT\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{B60F5AFA-EDD2-417D-A438-57F3EBD9E639}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}
HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}\1.0
HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{DFCDA823-80C5-4F55-B328-7EFD4AFBD9A0}\1.0\HELPDIR
HKEY_CLASSES_ROOT\spamdet.SpamDetector
HKEY_CLASSES_ROOT\spamdet.SpamDetector.1
HKEY_CLASSES_ROOT\spamdet.SpamDetector.1\CLSID
HKEY_CLASSES_ROOT\spamdet.SpamDetector\CLSID
HKEY_CLASSES_ROOT\spamdet.SpamDetector\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\ExpertAntivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ExpertAntivirus.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExpertAntivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\ExpertAntivirus


The program then gives exaggerated reports about potential risks on the computer.

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube