1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpyBlocs Activity

HTTP SpyBlocs Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects SpyBloc which is a security risk that may give exaggerated reports of threats on the computer.

Additional Information

When SpyBlocs is executed, it performs the following actions:

1. Creates the following files:

* C:\Documents and Settings\Administrator\Desktop\SpyBlocs.lnk
* C:\Documents and Settings\Administrator\Local Settings\Temp\GLF7.tmp
* C:\Documents and Settings\Administrator\Local Settings\Temp\spyblocs.set
* C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBB19.tmp
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyBlocs\Eblocs.com website.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyBlocs\SpyBlocs.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyBlocs\Support.lnk
* C:\Program Files\eBlocs\SpyBlocs\eBlocsSB.dll
* C:\Program Files\eBlocs\SpyBlocs\eBlocsSBUI.dll
* C:\Program Files\eBlocs\SpyBlocs\GLF8.exe
* C:\Program Files\eBlocs\SpyBlocs\INSTALL.LOG
* C:\Program Files\eBlocs\SpyBlocs\SpyBLCFG.INI
* C:\Program Files\eBlocs\SpyBlocs\SpyBlocs.exe
* C:\Program Files\eBlocs\SpyBlocs\spyblpat.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat1.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat11.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat12.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat13.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat14.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat2.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat3.dat.03
* C:\Program Files\eBlocs\SpyBlocs\spyblpat4.dat.03
* C:\Program Files\eBlocs\SpyBlocs\SpyBLSettings.ini
* C:\Program Files\eBlocs\SpyBlocs\uninstall.exe
* C:\Program Files\eBlocs\SpyBlocs\UNWISE.EXE
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Alert Indext.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Alert Internet Explorer.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Alert Startup Program.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Notify.wav
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Report Index.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Report Spyware.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Report Tracking Cookie.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Restore IE Main.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Restore Index.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Restore Run.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Restore Spyware.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Restore tracking cookie.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Settings Index.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Settings Internet Explorer.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\Settings Startup Program.htm
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\spyblchk.ini
* C:\Program Files\eBlocs\SpyBlocs\UserGuide\spyblocs.set
* C:\Program Files\eBlocs\SpyBlocs\uwhttpsr.dll
* C:\Program Files\eBlocs\SpyBlocs\wslvucfg.ini
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\DelayLoad.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Explorer Bars.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Explorer Plugins.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Hosts.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\IE Extensions.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\IE Main.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\IE Menubar.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\IE Plugins.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\IE Searchbar.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\IE Toolbar.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\NT Run.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Run.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\RunOnce.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\RunOnceEx.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\RunServices.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Service.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Shell.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\Startup.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\URLSearchHooks.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\Shield\WinLogon.ebl
* C:\Program Files\eBlocs\SpyBlocs\[RANDOM VALUE]\SpyBLExecTime.ini
* C:\WINDOWS\sb_affiliate.ini


2. Creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyBlocs 6.0
HKEY_LOCAL_MACHINE\SOFTWARE\eBlocs\SpyBlocs
HKEY_LOCAL_MACHINE\SOFTWARE\eBlocsKeepSafe
HKEY_LOCAL_MACHINE\SOFTWARE\WsLiveUp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\ebc
HKEY_CURRENT_USER\Software\eBlocs\SpyBlocs
HKEY_CURRENT_USER\Software\WsLiveUp

3. Adds the value:

"SpyBlocs" = "%ProgramFiles%\eBlocs\SpyBlocs\GLF8.exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the risk runs when Windows starts

4. Adds the following line to the Win.ini file:

[eBlocksKeepSafe]
ClientID=[RANDOM VALUE]

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube