1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpywareQuake Activity

HTTP SpywareQuake Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects SpywareQuake communicating and requesting information from its controlling server.

Additional Information

When SpywareQuake is installed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareQuake 2.0.lnk
* %UserProfile%\Desktop\SpywareQuake.lnk
* %UserProfile%\Local Settings\Temp\SQLanguage.ini
* %UserProfile%\Start Menu\Programs\SpywareQuake\SpywareQuake 2.0 Website.lnk
* %UserProfile%\Start Menu\Programs\SpywareQuake\SpywareQuake 2.0.lnk
* %UserProfile%\Start Menu\Programs\SpywareQuake\Uninstall SpywareQuake 2.0.lnk
* %UserProfile%\Start Menu\SpywareQuake 2.0.lnk
* %ProgramFiles%\SpywareQuake\blacklist.txt
* %ProgramFiles%\SpywareQuake\Lang\English.ini
* %ProgramFiles%\SpywareQuake\msvcp71.dll
* %ProgramFiles%\SpywareQuake\msvcr71.dll
* %ProgramFiles%\SpywareQuake\ref.dat
* %ProgramFiles%\SpywareQuake\SpywareQuake.exe
* %ProgramFiles%\SpywareQuake\SpywareQuake.url
* %ProgramFiles%\SpywareQuake\uninst.exe
* %ProgramFiles%\SpywareQuake\Lang\*.*
* %ProgramFiles%\SpywareQuake\Dirs\*.*
* %ProgramFiles%\SpywareQuake\Quarantine\*.*

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{5B55C4E3-C179-BA0B-B4FD-F2DB862D6202}
HKEY_CLASSES_ROOT\Interface\{189518DF-7EBA-4D31-A7E1-73B5BB60E8D5}
HKEY_CLASSES_ROOT\Interface\{23D627FE-3F02-44CF-9EE1-7B9E44BD9E13}
HKEY_CLASSES_ROOT\Interface\{43CFEFBE-8AE4-400E-BBE4-A2B61BB140FB}
HKEY_CLASSES_ROOT\Interface\{5790B963-23C5-43C1-BCF5-01C9B5A3E44E}
HKEY_CLASSES_ROOT\Interface\{5D42DDF4-81EB-4668-9951-819A1D5BEFC8}
HKEY_CLASSES_ROOT\Interface\{76D06077-D5D3-40CA-B32D-6A67A7FF3F06}
HKEY_CLASSES_ROOT\Interface\{86C7E6C3-EC47-44E5-AA08-EE0D0A25895F}
HKEY_CLASSES_ROOT\Interface\{9283DAC1-43F5-4580-BF86-841F22AF2335}
HKEY_CLASSES_ROOT\Interface\{AE90CAFC-09D4-47F0-9E11-CE621C424F08}
HKEY_CLASSES_ROOT\Interface\{BA397E39-F67F-423F-BC6E-65939450093A}
HKEY_CLASSES_ROOT\Interface\{BEC8A83D-01D4-4F15-B8A9-4B4AB24253A7}
HKEY_CLASSES_ROOT\Interface\{C4EEDC19-992D-409A-B323-ED57D511AFA5}
HKEY_CLASSES_ROOT\Interface\{DD90F677-D205-4F70-9014-659614AABCB2}
HKEY_CLASSES_ROOT\Interface\{E3DF91F3-F24F-441E-9001-D61F36024322}
HKEY_CLASSES_ROOT\Interface\{F459EADB-5903-48D5-864C-2B7B46AB1424}
HKEY_CLASSES_ROOT\Interface\{FC4EDF66-0547-4F1A-AE96-7CFCAD711C90}
HKEY_CLASSES_ROOT\TypeLib\{661173EE-FA31-4769-97D4-B556B5D09BDA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareQuake.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareQuake
HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake

3. Adds the value:

"SpywareQuake" = "%ProgramFiles%\SpywareQuake\SpywareQuake.exe /h"
"Spyware Quake" = "%ProgramFiles%\SpywareQuake\SpywareQuake.exe /h"

to the registry subkey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run the scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube