1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AdwareSpy Activity

HTTP AdwareSpy Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of the misleading application Adwarespy.

Additional Information

When AdwareSpy is executed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\AdwareSpy\AdwareSpy.chm
* %ProgramFiles%\AdwareSpy\AdwareSpy.dll
* %ProgramFiles%\AdwareSpy\AdwareSpy4.exe
* %ProgramFiles%\AdwareSpy\allowedlist.lst
* %ProgramFiles%\AdwareSpy\deniedlist.lst
* %ProgramFiles%\AdwareSpy\dp.xml
* %ProgramFiles%\AdwareSpy\HookProcessCreation.dll
* %ProgramFiles%\AdwareSpy\Media\unidentified.jpg
* %ProgramFiles%\AdwareSpy\prefs.dat
* %ProgramFiles%\AdwareSpy\Reference.dat
* %ProgramFiles%\AdwareSpy\unins000.dat
* %ProgramFiles%\AdwareSpy\unins000.exe
* %UserProfile%\Desktop\AdwareSpy.lnk
* %UserProfile%\Start Menu\Programs\AdwareSpy\AdwareSpy.lnk
* %UserProfile%\Start Menu\Programs\AdwareSpy\Help Manual.lnk

Notes:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdwareSpy_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

3. Adds the value:

"AdwareSpy" = "%ProgramFiles%\AdwareSpy\AdwareSpy4.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

Affected

  • Windows 2000
  • Windows NT
  • Windows XP

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube