1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AntiSpyBoss Activity

HTTP AntiSpyBoss Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects AntiSpyBoss which is a misleading application that may give exaggerated reports of threats on the computer.

Additional Information

When the program is executed, it creates the following folders:

* C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpyBoss
* %ProgramFiles%\AntiSpyBoss



Next, it creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpyBoss.lnk
* C:\Documents and Settings\All Users\Desktop\AntiSpyBoss.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpyBoss\AntiSpyBoss.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpyBoss\Uninstall AntiSpyBoss.lnk
* %ProgramFiles%\AntiSpyBoss\asb32.exe
* %ProgramFiles%\AntiSpyBoss\asb32.lng
* %ProgramFiles%\AntiSpyBoss\dbsmpl.dat
* %ProgramFiles%\AntiSpyBoss\sqoptions.dat
* %ProgramFiles%\AntiSpyBoss\sqresult.dat
* %ProgramFiles%\AntiSpyBoss\unins000.dat
* %ProgramFiles%\AntiSpyBoss\unins000.exe



The program may create temporary files in the following folder:
%UserProfile%\Local Settings\Temp

It also creates randomly named .exe and .dll files in the following folders:

* %UserProfile%\Local Settings\Temp
* %System%
* %Windìr%



The files created in the above folders are detected by the program during a system scan. The files are not executable and are non-malicious.

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AntiSpyBoss" = "C:\Program Files\AntiSpyBoss\asb32.exe"

It also creates the following registry subkeys:

* HKEY_LOCAL_MACHINE\SOFTWARE\IQSoftware
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyBoss_is1

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube