1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP EasySpywareKiller Activity

HTTP EasySpywareKiller Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activities of the misleading application EasySpywareKiller.

Additional Information

When EasySpywareKiller is installed, it performs the following actions:

1. Creates the following files:
* %ProgramFiles%\Easy SPYREM\PopupE.ico
* %ProgramFiles%\Easy SPYREM\ee.ico
* %ProgramFiles%\Easy SPYREM\ee.url
* %ProgramFiles%\Easy SPYREM\klp.ico
* %ProgramFiles%\Easy SPYREM\klp.url
* %ProgramFiles%\Easy SPYREM\pct.ico
* %ProgramFiles%\Easy SPYREM\pct.url
* %ProgramFiles%\Easy SPYREM\popupe.url
* %ProgramFiles%\Easy SPYREM\psapi.dll
* %ProgramFiles%\Easy SPYREM\ref.dat
* %ProgramFiles%\Easy SPYREM\spyrem.exe
* %ProgramFiles%\Easy SPYREM\spyrem.url
* %ProgramFiles%\Easy SPYREM\spyremhlp.url
* %ProgramFiles%\Easy SPYREM\spyremreg.url
* %ProgramFiles%\Easy SPYREM\unins000.dat
* %ProgramFiles%\Easy SPYREM\unins000.exe
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Easy Spyware Killer Help.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Easy Spyware Killer on the Web.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Easy Spyware Killer.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Essential Security Programs\PAL Evidence Eliminator.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Essential Security Programs\PAL Keylog PRO.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Essential Security Programs\PAL PC Tracker.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Essential Security Programs\PAL Popup Eliminator.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Order Easy Spyware Killer.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Easy Spyware Killer\Uninstall Easy Spyware Killer.lnk
* %System%\MSCOMCTL.OCX
* %System%\tabctl32.ocx
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Easy Spyware Killer.lnk
* %UserProfile%\Desktop\Easy Spyware Killer.lnk

Note:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Easy Spyware Killer_is1
HKEY_CURRENT_USERS\Software\VB and VBA Program Settings\Easy Spyware Killer

3. May report the presence of threats on a user's computer even though they do not exist.

4. Prompts the user to purchase the full version of the product to remove these threats.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube