1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AgentSpyware Activity

HTTP AgentSpyware Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application AgentSpyware.

Additional Information

When this risk is executed, it performs the following actions:

1. Creates the following files:

%ProgramFiles%\SoftwareDoctor\AgentSpyware\AdwareAlert.dll
%ProgramFiles%\SoftwareDoctor\AgentSpyware\AgentSpyware.dll
%ProgramFiles%\SoftwareDoctor\AgentSpyware\AgentSpyware.exe
%ProgramFiles%\SoftwareDoctor\AgentSpyware\DataBase Update.exe
%ProgramFiles%\SoftwareDoctor\AgentSpyware\DbCookies.ref
%ProgramFiles%\SoftwareDoctor\AgentSpyware\DbFilesFolders.ref
%ProgramFiles%\SoftwareDoctor\AgentSpyware\DbProcessDlls.ref
%ProgramFiles%\SoftwareDoctor\AgentSpyware\DbRegistry.ref
%ProgramFiles%\SoftwareDoctor\AgentSpyware\DBVersion.ini
%ProgramFiles%\SoftwareDoctor\AgentSpyware\details.ref
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Progress.exe
%ProgramFiles%\SoftwareDoctor\AgentSpyware\res.txt
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\CustomScan.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\IgnoreList.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\RegInfo.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\ScanInfo.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\SelectedFolders.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\Settings.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\Shield.ini
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\Spyware.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\Settings\Spywares.stg
%ProgramFiles%\SoftwareDoctor\AgentSpyware\SpyLog.txt
%ProgramFiles%\SoftwareDoctor\AgentSpyware\ST6UNST.LOG
%UserProfile%\Desktop\AgentSpyware.lnk
%UserProfile%\Start Menu\Programs\SoftwareDoctor\AgentSpyware\AgentSpyware.lnk%UserProfile%\Start Menu\Programs\SoftwareDoctor\AgentSpyware\Uninstall.lnk

Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E6E36A67-609F-4487-82C0-68E3971AB55C}
HKEY_LOCAL_MACHINE\SOFTWARE\SoftwareDoctor
HKEY_LOCAL_MACHINE\SOFTWARE\SoftwareDoctor\AgentSpyware
HKEY_ALL_USERS\Software\AgentSpyware

3. Adds the value:

"AgentSpyware" = "%ProgramFiles%\SpftwareDoctor\AgentSpyware\AgentSpyware.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

Affected

  • Windows 2000
  • Windows NT
  • Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube