1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpyDestroy Activity

HTTP SpyDestroy Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application SpyDestroy.

Additional Information

When SpyDestroy is installed, it performs the following actions:

1. Creates the following files:

* %Program Files%\SpyDestroy Pro\Logs\debug.log
* %Program Files%\SpyDestroy Pro\Logs\ObjectsFound.log
* %Program Files%\SpyDestroy Pro\Logs\ObjectsRemoved.log
* %Program Files%\SpyDestroy Pro\SpyDestroy Pro.url
* %Program Files%\SpyDestroy Pro\spydestroypro.exe
* %Program Files%\SpyDestroy Pro\uninst.exe
* %UserProfile%\Desktop\SpyDestroy Pro.lnk
* %UserProfile%\Start Menu\Programs\SpyDestroy Pro\SpyDestroy Pro.lnk
* %UserProfile%\Start Menu\Programs\SpyDestroy Pro\Uninstall.lnk
* %UserProfile%\Start Menu\Programs\SpyDestroy Pro\Website.lnk
* %System%\fk.dll

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Creates the foolowing registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyDestroyPro.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDestroy Pro
HKEY_LOCAL_MACHINE\SOFTWARE\Mandel Enterprise\SpyDestroy Pro
HKEY_ALL_USERS\Software\Local AppWizard-Generated Applications\SpyDestroy Pro

3. Adds the value:

"(Default)" = "C:\Program Files\SpyDestroy Pro\SpyDestroyPro.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyDestroyPro.exe

so that it runs every time Windows starts.

Affected

  • Windows 2000
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube