1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SystemDoctor Activity

HTTP SystemDoctor Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects attempt by Security Risk.SystemDoctor communicating and requesting information from its controlling server.

Additional Information

When SystemDoctor is installed on the computer, it creates the following files:

* C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\SystemDoctor 2006.lnk
* C:\Documents and Settings\Administrator\Desktop\SystemDoctor 2006.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\Contact customer support.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\SystemDoctor 2006 on the Web.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\SystemDoctor 2006.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\Uninstall SystemDoctor 2006.lnk
* C:\Program Files\SystemDoctor 2006 Free\Activate.dat
* C:\Program Files\SystemDoctor 2006 Free\Activate.exe
* C:\Program Files\SystemDoctor 2006 Free\bnlink.dat
* C:\Program Files\SystemDoctor 2006 Free\DataBase.sav
* C:\Program Files\SystemDoctor 2006 Free\hmlink.dat
* C:\Program Files\SystemDoctor 2006 Free\insthelp.exe
* C:\Program Files\SystemDoctor 2006 Free\lapv.dat
* C:\Program Files\SystemDoctor 2006 Free\License.rtf
* C:\Program Files\SystemDoctor 2006 Free\lock.dat
* C:\Program Files\SystemDoctor 2006 Free\order.dll
* C:\Program Files\SystemDoctor 2006 Free\pv.dat
* C:\Program Files\SystemDoctor 2006 Free\ReportListFile.dat
* C:\Program Files\SystemDoctor 2006 Free\Sd2006.exe
* C:\Program Files\SystemDoctor 2006 Free\sd2006url.url
* C:\Program Files\SystemDoctor 2006 Free\support.url
* C:\Program Files\SystemDoctor 2006 Free\umain.xml
* C:\Program Files\SystemDoctor 2006 Free\unins000.dat
* C:\Program Files\SystemDoctor 2006 Free\unins000.exe
* C:\Program Files\SystemDoctor 2006 Free\up.dat
* C:\Program Files\SystemDoctor 2006 Free\updater.dat
* C:\Program Files\SystemDoctor 2006 Free\updater.exe
* C:\Documents and Settings\Administrator\Local Settings\Temp\USDR6_0001_D08M0404
* C:\Documents and Settings\Administrator\Local Settings\Temp\SystemDoctorFreeSetup.exe



Next, the program creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemDoctor.Free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1
HKEY_LOCAL_MACHINE\SOFTWARE\SystemDoctor 2006 Free
HKEY_CURRENT_USER\Software\SystemDoctor 2006 Free

It also creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "SystemDoctor 2006 Free" = "C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan"

Next, the program may give exaggerated reports of threats on the computer including the following:

* w32.myzor.fk@if
* trojanspm/lx
* trojan.dloader/lx
* spyworm.win32
* win32.trojan.rx

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube