1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: SpyShield Activity

System Infected: SpyShield Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application SpyShield.

Additional Information

SpyShield is a misleading application that may give exaggerated reports of threats on the computer.

When the program is executed, it creates the following files:

* %UserProfile%\Application Data\Microsoft\Installer\{6F82C699-3098-4CF3-880C-255161076312}\_[RANDOM HEXADECIMAL NUMBER].exe
* %UserProfile%\Application Data\Microsoft\Installer\{6F82C699-3098-4CF3-880C-255161076312}\_[RANDOM HEXADECIMAL NUMBER].exe
* %UserProfile%\Application Data\Microsoft\Installer\{6F82C699-3098-4CF3-880C-255161076312}\_[RANDOM HEXADECIMAL NUMBER].exe
* %UserProfile%\Desktop\SpyShield.lnk
* %UserProfile%\Start Menu\Programs\SpyShield.org Software\SpyShield Demo\Readme-Help.lnk
* %UserProfile%\Start Menu\Programs\SpyShield.org Software\SpyShield Demo\SpyShield Demo.lnk
* %UserProfile%\Start Menu\Programs\SpyShield.org Software\SpyShield Demo\SpyShield.com.url
* %ProgramFiles%\SpyShield Demo\BlockedCookies.dat
* %ProgramFiles%\SpyShield Demo\ExeDefinition.dat
* %ProgramFiles%\SpyShield Demo\FileDefinition.dat
* %ProgramFiles%\SpyShield Demo\help.chm
* %ProgramFiles%\SpyShield Demo\RegistryDefinition.dat
* %ProgramFiles%\SpyShield Demo\riched32.dll
* %ProgramFiles%\SpyShield Demo\Spyreaper.com.url
* %ProgramFiles%\SpyShield Demo\SpyReaperProDemo.exe
* %Windir%\Installer\[RANDOM FILE NAME].msi



It also creates the following clean files:

* %Windir%\system32\actskn43.ocx
* %Windir%\system32\mscomct2.ocx
* %Windir%\system32\richtx32.ocx
* %Windir%\system32\skinboxer43.dll
* %Windir%\system32\tabctl32.ocx



Next, the program creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\SpyShield Demo\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%UserProfile%\Start Menu\Programs\SpyShield.org Software\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%UserProfile%\Start Menu\Programs\SpyShield.org Software\SpyShield Demo\" = ""

It also creates the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6F82C699-3098-4CF3-880C-255161076312}
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\996C28F689033FC488C0521516703621
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\996C28F689033FC488C0521516703621
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F46C8F6DD039799419A1CFD3E3F46EF6

The program may then give exaggerated reports of threats on the computer.

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube