1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading Application SoftStop Activity

System Infected: Misleading Application SoftStop Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects SoftStop communicating and requesting information from its controlling server.

Additional Information

When Softstop is executed, it performs the following actions:

1. Creates the following files:
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Spyware Soft Stop.lnk
* %UserProfile%\Administrator\Desktop\Spyware Soft Stop.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Spyware Soft Stop\Spyware Soft Stop on the Web.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Spyware Soft Stop\Spyware Soft Stop.lnk
* %ProgramFiles%\Spyware Soft Stop\base.001
* %ProgramFiles%\Spyware Soft Stop\base.002
* %ProgramFiles%\Spyware Soft Stop\base.003
* %ProgramFiles%\Spyware Soft Stop\base.004
* %ProgramFiles%\Spyware Soft Stop\gpkcsp.dll
* %ProgramFiles%\Spyware Soft Stop\httpapi.dll
* %ProgramFiles%\Spyware Soft Stop\htui.dll
* %ProgramFiles%\Spyware Soft Stop\Spyware Soft Stop.exe
* %ProgramFiles%\Spyware Soft Stop\Spyware Soft Stop.url
* %ProgramFiles%\Spyware Soft Stop\unins000.dat
* %ProgramFiles%\Spyware Soft Stop\unins000.exe
* %Windir%\sss_main.ini


Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

2. Creates one or more nonmalicious files, choosing the filename(s) from the list below.
* vindows32.exe
* keydsp.exe
* _winlogon32.exe
* dll2.dll
* gadf32.exe
* index_dsp.html
* ur72.dll
* wbc32.exe
* qscem.vob
* spy_sys.exe
* mydriver64.sys
* loggiver.dll
* pinch.exe
* system1.dat6
* logic.sam
* dotnet.exe
* mytob.exe
* exp.vbs
* azdd.exe
* spb32.dll
* ninja.rar
* wmzgrab.exe
* localhost32.exe
* remadm32.dll
* vobler.exe
* pasmew.dll
* opssd.dat
* ldsm.exe
* amewq32.exe
* mytool.com
* fsg32.exe
* logon032.dll
* 3.exe
* bspsupport.exe
* svchost72.exe

These files are created at random in the following locations: %SystemDrive%, %WinDir% or %System%.

Note:

%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Creates the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Soft Stop_is1

4. Adds the following registry entry:

"Software Soft Stop" = "C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the application runs every time Windows starts.

5. May incorrectly detect malware on the computer. The risk uses these false results in an attempt to persuade users to register the product for a fee.

Affected

  • Windows 2000
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run the scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube