1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Spybouncer Activity

HTTP Spybouncer Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects MisleadingApp.Spybouncer communicating and requesting information from its controlling server.

Additional Information

When SpyBouncer is executed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\Bouncer\BDB.dll
* %ProgramFiles%\Bouncer\Bouncer.exe
* %ProgramFiles%\Bouncer\LiveUpdate.exe
* %ProgramFiles%\Bouncer\SBB.dll
* %ProgramFiles%\Bouncer\chilkatZip.dll
* %ProgramFiles%\Bouncer\delQueue.exe
* %ProgramFiles%\Bouncer\delmod.dll
* %ProgramFiles%\Bouncer\options.cfg
* %ProgramFiles%\Bouncer\requeue.dll
* %ProgramFiles%\Bouncer\help\*.*
* C:\Documents and Settings\All Users\Start Menu\Programs\SpyBouncer\SpyBouncer Help.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SpyBouncer\SpyBouncer LiveUpdate.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SpyBouncer\SpyBouncer.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SpyBouncer\Uninstall.lnk
* C:\Documents and Settings\All Users\Start Menu\SpyBouncer.lnk
* %System%\mscomctl.ocx (A legitimate file.)
* %System%\msinet.ocx (A legitimate file.)

Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the value:

"Bouncer RunStartup" = "[PATH TO RISK]\liveupdate.exe 110"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

3. Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{8C7AB65B-830C-442A-A71A-0E06BAF9CAF2}
HKEY_CLASSES_ROOT\Interface\{F3A1BEC7-6D42-4A5D-ABDC-534669A087E1}
HKEY_CLASSES_ROOT\TypeLib\{AA33A373-5938-461B-9CAB-35B66F1975E0}
HKEY_CLASSES_ROOT\delmod.DeleteMod
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B8654183-8384-4A84-A22E-CA5A0BC35DCD}
HKEY_LOCAL_MACHINE\SOFTWARE\SRC

4. Adds the values:

"%ProgramFiles%\Bouncer\Bouncer.exe" = "1"
"%ProgramFiles%\Bouncer\BDB.dll" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

5. Adds the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{18BBDF4D-611D-41CE-A7E7-B2DD23C250D1}
HKEY_CLASSES_ROOT\CLSID\{8551311D-F3BF-4718-AD66-96E302500735}
HKEY_CLASSES_ROOT\CLSID\{CE23505D-68FB-4C49-AE4B-D4F1CF86A2C4}
HKEY_CLASSES_ROOT\CLSID\{DB90DEA9-0897-4B02-9FE0-1E321A22EAB0}
HKEY_CLASSES_ROOT\CLSID\{DB92433D-1902-4789-BAFC-B46B0DCDEBB7}
HKEY_CLASSES_ROOT\CLSID\{EC352548-52B5-41AC-B8C1-8CB561ECF7AD}
HKEY_CLASSES_ROOT\TypeLib\{6F65ED0D-066E-4C92-B442-2704E7B64111}
HKEY_LOCAL_MACHINE\SOFTWARE\Chilkat Software, Inc.\ChilkatZip.ChilkatZip

which are associated with a legitimate compression library called chilkatzip.

6. Adds the value:

"Compatibility Flags" = "400"

to a large number of registry keys in the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

to prevent certain ActiveX controls from loading in Internet Explorer.

7. May give exaggerated reports of threats on the compromised computer when a scan is run.

8. Prompts the user to delete these threats by purchasing the full version of the product.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run the scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube