1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpyFighter Activity

HTTP SpyFighter Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects attempt by Security Risk.SpyFighter communicating and requesting information from its controlling server.

Additional Information

When SpyFighter is executed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Desktop\Spy Fighter.lnk
* %UserProfile%\Start Menu\Programs\Spy Fighter\Spy Fighter.lnk
* %SystemDrive%\Documents and Settings\All Users\Desktop\Spy Fighter.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Spy Fighter\Spy Fighter.lnk
* %UserProfile%\Application Data\Microsoft\Installer\{EDBEE973-9D78-4C4C-B7BB-20380314C8A3}\_2cd672ae.exe
* %UserProfile%\Application Data\Microsoft\Installer\{EDBEE973-9D78-4C4C-B7BB-20380314C8A3}\_4ae13d6c.exe
* %ProgramFiles%\SpyFighter\200508.sf
* %ProgramFiles%\SpyFighter\200509.sf
* %ProgramFiles%\SpyFighter\200601.sf
* %ProgramFiles%\SpyFighter\200602.sf
* %ProgramFiles%\SpyFighter\ABetterInternet.dll
* %ProgramFiles%\SpyFighter\AdWare.dll
* %ProgramFiles%\SpyFighter\AdwareDatabase.dll
* %ProgramFiles%\SpyFighter\AutoUpdate.exe
* %ProgramFiles%\SpyFighter\code.dat
* %ProgramFiles%\SpyFighter\CoolWebSearch.dll
* %ProgramFiles%\SpyFighter\database.sf
* %ProgramFiles%\SpyFighter\Dialers.dll
* %ProgramFiles%\SpyFighter\History.dll
* %ProgramFiles%\SpyFighter\InstantAccessDialer.dll
* %ProgramFiles%\SpyFighter\license.rtf
* %ProgramFiles%\SpyFighter\LogRecorder.exe
* %ProgramFiles%\SpyFighter\MirarToolbar.dll
* %ProgramFiles%\SpyFighter\MySearchBar.dll
* %ProgramFiles%\SpyFighter\SearchCentrix.dll
* %ProgramFiles%\SpyFighter\SetupCustomActions.exe
* %ProgramFiles%\SpyFighter\SFReader.dll
* %ProgramFiles%\SpyFighter\SingleAdWare1.dll
* %ProgramFiles%\SpyFighter\SinglePlugins2.dll
* %ProgramFiles%\SpyFighter\SpyFighter.exe
* %ProgramFiles%\SpyFighter\WasherPlugins.dll
* %ProgramFiles%\SpyFighter\WebSearchToolbar.dll

Note:

%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
%SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

2. Adds the values:

"SpyFighterMonitor" = ""%ProgramFiles%\SpyFighter\SpyFighter.exe" monitor"
"SpyFighterUpdate" = ""%ProgramFiles%\SpyFighter\AutoUpdate.exe" silent"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

3. Creates the following registry subkeys:


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\379EEBDE87D9C4C47BBB028330418C3A
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\379EEBDE87D9C4C47BBB028330418C3A
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1650E5B16D1E56840838E4EED661B5C2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\1650E5B16D1E56840838E4EED661B5C2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\002D10914E786E5AA97747718B9A6C42
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\07F9161CE577347D8D06F8AAC8F4709A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0957E30AE70BAC919C514D97098C1377
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\20111BAFA86F96528A7386EDB2C82827
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\228E1837B8ACC7E7A0BF5F43CE258F35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\24093B47EE01E4CA21C21EDB9D97D7F0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2F87B57A4CE993BC2C6039CF7C14F9AE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2FA5A3D59FB24CE633B4A2F999EB1425
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3539394C1540FF598318E39D981467C6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379EEBDE87D9C4C47BBB028330418C3A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\440ED4749A2EB19DCB940D8430001969
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\489AF3E77CD7AEA48D354937EE9ACA6B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4EAE5B8363E38400A827E42C83553754
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\64BCA2A95739F0EC62E8D8587FDFD54D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\666AFB44D8D418F7B43509D4782FD1F4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C586FBD7C9E472A11018EFF7AF2CFFB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6FD287D47E9B5D23A45DA0ADBCD22BDE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7C70D21502CDC0FB073BA3A67C36F4E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\80BEEAB2878552E5B41D179DAE992C3C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\82842C92421EC44689FDC2FF81701515
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8F98EC122C479EB95E82643D23E06620
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9ACE4CE33B53DF31D9A89D160927F416
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BB27B45A83FA24F725F06789250FBED0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BC150E9DA971EF9E1E1EED1550F2C33F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C3ACFC0D986BBBFADDE1177949B3E8E7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9DAB06D1A0E8B9D0816CEC48A8D925A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DF8B8E7218774B36C372508AA818975A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\379EEBDE87D9C4C47BBB028330418C3A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\002D10914E786E5AA97747718B9A6C42
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\07F9161CE577347D8D06F8AAC8F4709A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\0957E30AE70BAC919C514D97098C1377
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\20111BAFA86F96528A7386EDB2C82827
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\228E1837B8ACC7E7A0BF5F43CE258F35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\24093B47EE01E4CA21C21EDB9D97D7F0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\2F87B57A4CE993BC2C6039CF7C14F9AE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\2FA5A3D59FB24CE633B4A2F999EB1425
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\3539394C1540FF598318E39D981467C6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\379EEBDE87D9C4C47BBB028330418C3A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\440ED4749A2EB19DCB940D8430001969
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\489AF3E77CD7AEA48D354937EE9ACA6B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\4EAE5B8363E38400A827E42C83553754
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\64BCA2A95739F0EC62E8D8587FDFD54D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\666AFB44D8D418F7B43509D4782FD1F4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\6C586FBD7C9E472A11018EFF7AF2CFFB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\6FD287D47E9B5D23A45DA0ADBCD22BDE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\7C70D21502CDC0FB073BA3A67C36F4E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\80BEEAB2878552E5B41D179DAE992C3C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\82842C92421EC44689FDC2FF81701515
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\8F98EC122C479EB95E82643D23E06620
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\9ACE4CE33B53DF31D9A89D160927F416
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\BB27B45A83FA24F725F06789250FBED0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\BC150E9DA971EF9E1E1EED1550F2C33F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\C3ACFC0D986BBBFADDE1177949B3E8E7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\D9DAB06D1A0E8B9D0816CEC48A8D925A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Components\DF8B8E7218774B36C372508AA818975A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM NUMBER]\Products\379EEBDE87D9C4C47BBB028330418C3A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EDBEE973-9D78-4C4C-B7BB-20380314C8A3}
HKEY_LOCAL_MACHINE\SOFTWARE\SpyFighter

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube