1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpyFalcon Activity

HTTP SpyFalcon Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects attempt by Security Risk.SpyFalcon communicating and requesting information from its controlling server.

Additional Information

When SpyFalcon is installed, it performs the following actions:

1. Creates the following folders:

* %ProgramFiles%\SpyFalcon
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following files:

* C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 2.0.lnk
* C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyFalcon 3.1.lnk
* C:\Documents and Settings\Administrator\Desktop\SpyFalcon.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0 Website.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 3.1 Website.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 2.0.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\SpyFalcon 3.1.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\Uninstall SpyFalcon 2.0.lnk
* C:\Documents and Settings\Administrator\Start Menu\Programs\SpyFalcon\Uninstall SpyFalcon 3.1.lnk
* C:\Documents and Settings\Administrator\Start Menu\SpyFalcon 2.0.lnk
* C:\Documents and Settings\Administrator\Start Menu\SpyFalcon 3.1.lnk
* %ProgramFiles%\SpyFalcon\blacklist.txt
* %ProgramFiles%\SpyFalcon\Lang\English.ini
* %ProgramFiles%\SpyFalcon\msvcp71.dll
* %ProgramFiles%\SpyFalcon\msvcr71.dll
* %ProgramFiles%\SpyFalcon\SpyFalcon.exe
* %ProgramFiles%\SpyFalcon\SpyFalcon.url
* %ProgramFiles%\SpyFalcon\syg.db
* %ProgramFiles%\SpyFalcon\uninst.exe
* %ProgramFiles%\SpyFalcon\sf.ini
* %Temp%\SFLanguage.ini

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

3. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\spyaxe.exe
HKEY_CLASSES_ROOT\CLSID\{008E3200-28EB-463b-9B58-75C23D80911A}
HKEY_CLASSES_ROOT\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}
HKEY_CLASSES_ROOT\Interface\{001501E7-C970-4CB1-9740-E055BF3DDFD6}
HKEY_CLASSES_ROOT\Interface\{0CBD1CBA-E034-4287-9B49-5F2912E1D33B}
HKEY_CLASSES_ROOT\Interface\{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}
HKEY_CLASSES_ROOT\Interface\{163469FD-6009-48E2-AD8C-47BB2E0D88BE}
HKEY_CLASSES_ROOT\Interface\{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}
HKEY_CLASSES_ROOT\Interface\{18575620-E41D-4204-BF6F-964069D80F45}
HKEY_CLASSES_ROOT\Interface\{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}
HKEY_CLASSES_ROOT\Interface\{20C59F9F-33CB-4B1B-AFB6-B710DB845709}
HKEY_CLASSES_ROOT\Interface\{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}
HKEY_CLASSES_ROOT\Interface\{255CDDA3-576B-44C9-B944-46EAC18D5D6F}
HKEY_CLASSES_ROOT\Interface\{3261F690-1CA4-4839-928B-F4F898B74EB7}
HKEY_CLASSES_ROOT\Interface\{37B9988B-1997-41F4-A832-DAE42CC3F7C2}
HKEY_CLASSES_ROOT\Interface\{4B860BE9-5B96-4443-9714-6ACD89989D1E}
HKEY_CLASSES_ROOT\Interface\{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}
HKEY_CLASSES_ROOT\Interface\{5796859D-53C4-46C1-AD6F-2A3C4D4306EB}
HKEY_CLASSES_ROOT\Interface\{597892CA-A878-4A04-978F-DBA8DC2BB2FB}
HKEY_CLASSES_ROOT\Interface\{673A88D4-C0E0-40D2-9B93-AE39D9A1675F}
HKEY_CLASSES_ROOT\Interface\{6876543E-DA55-4F90-9CD2-5ED380D9516C}
HKEY_CLASSES_ROOT\Interface\{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}
HKEY_CLASSES_ROOT\Interface\{7CC220DA-D962-4935-AD3A-21F7CA4962E3}
HKEY_CLASSES_ROOT\Interface\{850300D6-D53B-4720-9372-6D31B85537E1}
HKEY_CLASSES_ROOT\Interface\{8C803228-BD61-4744-8B79-949E3F512DDC}
HKEY_CLASSES_ROOT\Interface\{9DD57F95-DA3A-4EDA-9475-27CCF366A4FD}
HKEY_CLASSES_ROOT\Interface\{B4D9C59B-A091-4D79-90CC-DD92F3BACF63}
HKEY_CLASSES_ROOT\Interface\{B7C685F0-1804-4382-A8EF-17D33DF97069}
HKEY_CLASSES_ROOT\Interface\{B8F90F00-CF78-4431-A13F-58B979F7EE20}
HKEY_CLASSES_ROOT\Interface\{CDEB1FD8-0917-40A2-B915-8FB9D7FDD75C}
HKEY_CLASSES_ROOT\Interface\{CF277F5A-347E-40C2-BAF0-4F09D0607041}
HKEY_CLASSES_ROOT\Interface\{D5DE421A-4AA5-4FE3-AA43-7D2A87D6267F}
HKEY_CLASSES_ROOT\Interface\{DD2D402A-DE41-47A6-AAC9-0D756776203E}
HKEY_CLASSES_ROOT\Interface\{E2F430FD-3062-4808-B23F-4B322BFED93F}
HKEY_CLASSES_ROOT\Interface\{E9B91E0C-305A-4DD2-9987-B3B0C254C6DE}
HKEY_CLASSES_ROOT\Interface\{EFD28371-A165-4873-A158-421D208FFE5A}
HKEY_CLASSES_ROOT\SpyFalcon.PopupBlockerConnector
HKEY_CLASSES_ROOT\SpyFalcon.PopupBlockerConnector.1
HKEY_CLASSES_ROOT\TypeLib\{244B730E-D899-4E38-9428-03D1143242E0}
HKEY_CLASSES_ROOT\TypeLib\{B4E17829-DACB-4320-9ABF-DCB382221FC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyFalcon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyFalcon
HKEY_LOCAL_MACHINE\SOFTWARE\SpyFalcon

Affected

  • Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube