1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP TheSpywareDetective Activity

HTTP TheSpywareDetective Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application TheSpywareDetective.

Additional Information

When TheSpywareDetective is executed, it performs the following actions:

1. Creates the following files:

* C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\The Spyware Detective.lnk
* C:\Documents and Settings\Administrator\Desktop\The Spyware Detective.lnk
* C:\Documents and Settings\Administrator\Start Menu\The Spyware Detective.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\The Spyware Detective\LSP Manager.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\The Spyware Detective\The Spyware Detective.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\The Spyware Detective\Uninstall.lnk
* C:\Program Files\The Spyware Detective\backup\backup.xml
* C:\Program Files\The Spyware Detective\config.ini
* C:\Program Files\The Spyware Detective\data\clsid.fln
* C:\Program Files\The Spyware Detective\data\data.fln
* C:\Program Files\The Spyware Detective\help\help_English.chm
* C:\Program Files\The Spyware Detective\languages\English.lng
* C:\Program Files\The Spyware Detective\logs\scan_protocol.log
* C:\Program Files\The Spyware Detective\LspManager.exe
* C:\Program Files\The Spyware Detective\skins\b_close.jpg
* C:\Program Files\The Spyware Detective\skins\b_close_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\b_minimize.jpg
* C:\Program Files\The Spyware Detective\skins\b_minimize_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\b_tray.jpg
* C:\Program Files\The Spyware Detective\skins\b_tray_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\help.jpg
* C:\Program Files\The Spyware Detective\skins\help_over.jpg
* C:\Program Files\The Spyware Detective\skins\help_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\interface.jpg
* C:\Program Files\The Spyware Detective\skins\news.jpg
* C:\Program Files\The Spyware Detective\skins\news_over.jpg
* C:\Program Files\The Spyware Detective\skins\news_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\onguard.jpg
* C:\Program Files\The Spyware Detective\skins\onguard_over.jpg
* C:\Program Files\The Spyware Detective\skins\onguard_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\order.jpg
* C:\Program Files\The Spyware Detective\skins\order_over.jpg
* C:\Program Files\The Spyware Detective\skins\order_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\scan.jpg
* C:\Program Files\The Spyware Detective\skins\scan_over.jpg
* C:\Program Files\The Spyware Detective\skins\scan_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\settings.jpg
* C:\Program Files\The Spyware Detective\skins\settings_over.jpg
* C:\Program Files\The Spyware Detective\skins\settings_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\skin_01.skn
* C:\Program Files\The Spyware Detective\skins\splashscreen.jpg
* C:\Program Files\The Spyware Detective\skins\status.jpg
* C:\Program Files\The Spyware Detective\skins\status_over.jpg
* C:\Program Files\The Spyware Detective\skins\status_rollover.jpg
* C:\Program Files\The Spyware Detective\skins\toolbar.jpg
* C:\Program Files\The Spyware Detective\skins\update.jpg
* C:\Program Files\The Spyware Detective\skins\update_over.jpg
* C:\Program Files\The Spyware Detective\skins\update_rollover.jpg
* C:\Program Files\The Spyware Detective\TheSpywareDetective.exe
* C:\Program Files\The Spyware Detective\unins000.dat
* C:\Program Files\The Spyware Detective\unins000.exe

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB746E64-083A-4D33-BB91-ED7E31A9606D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB746E64-083A-4D33-BB91-ED7E31A9606D}\Info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\{CB746E64-083A-4D33-BB91-ED7E31A9606D}_is1

3. Detects clean files as infected.

4. Attempts to persuade users to register the product for a fee.


Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube