1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP TrackZapper Activity

HTTP TrackZapper Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application TrackZapper.

Additional Information

When the security risk is executed, it creates the following files:
C:\Documents and Settings\Administrator\Desktop\TZ Spyware Remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\TrackZapper.com\TZ Spyware Remover\Help.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\TrackZapper.com\TZ Spyware Remover\TZ Spyware-Adware Remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\TrackZapper.com\TZ Spyware Remover\Uninstall.lnk
C:\Program Files\TrackZapper.com\TZ Spyware Remover\Box.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\Core.dll
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DataBase.ini
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DB.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DB1.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DB2.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DB3.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DB4.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\DB5.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\English.inf
C:\Program Files\TrackZapper.com\TZ Spyware Remover\English.jpg
C:\Program Files\TrackZapper.com\TZ Spyware Remover\folders.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\guard.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\Help.chm
C:\Program Files\TrackZapper.com\TZ Spyware Remover\home.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\Progress.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\Purchase.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\scanning.tz
C:\Program Files\TrackZapper.com\TZ Spyware Remover\Splash.spl
C:\Program Files\TrackZapper.com\TZ Spyware Remover\SpyRem.exe
C:\Program Files\TrackZapper.com\TZ Spyware Remover\unins000.dat
C:\Program Files\TrackZapper.com\TZ Spyware Remover\unins000.exe
C:\Program Files\TrackZapper.com\TZ Spyware Remover\update.cli
C:\Program Files\TrackZapper.com\TZ Spyware Remover\update.exe

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222FB6A-87F1-4867-8639-3B07B79B2EA2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{509F840C-8FBE-4B39-8135-7AE4F77211BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E0EA78D-E2BD-4DC4-8139-3C80FEA5388C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BE09D09-4A7B-4CC9-A729-A0142C7DF45B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{921064A0-DA49-40B6-B8CE-0E9F3C925E2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B46BB0D4-73BC-426F-822D-06CF4D5D5AE9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCAF88BD-430E-4735-84DA-87B2BCA2420E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE9BE0B6-6282-45C1-89E0-6DC449033B23}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F01F5B97-4493-47C7-881E-17C065B899EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AE04A0C-8523-47DE-AA0C-1A752BAC0C3C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E12DDE-E63E-4D03-B92A-5A9FBD2AAC56}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{250191B9-C470-4496-BE0B-328A9828B13F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{335F2B2A-95EE-4D5E-964C-92DB7CD9AB4F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3CF06A51-25CB-4AC1-8B2B-68939764841B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3DC35E00-E545-4874-8F22-8509077849FE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4A10974A-BE32-4C5D-959C-7CB2A2EC7A47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EBFEFE7-4A25-43E9-8DA9-1B2050D6B40F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79534873-72F1-4EF4-80B1-81DC825FB29A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7A571EF3-BA6F-4883-8089-ED150079D1E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{853958CB-4ABD-4425-90E8-481BF6F50BE3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E64C74F7-7A0B-4CDB-A948-0BBB54AF4D76}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9BE9673-6933-45D7-8478-7A521DA5CF0F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EA8AF03F-D635-4007-9430-A82DAE65F7A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F8D7C39B-B275-44D3-9758-08DC48A52124}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5466CEC7-55DE-4245-A6B6-CFA8CCCB89DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Backup
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Error
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Loading
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Remove
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Shield
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.ThreadControl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.ThreadLaunch
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Core.Worker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TZ Spyware Remover_is1
HKEY_USERS\S-1-5-21-1343024091-1336601894-839522115-500\Software\TZ Spyware Remover
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TZ Spyware Remover

The risk then gives exagerated reports that the computer contains adware and spyware. The program requests that the user register the software before it will remove the adware or spyware found.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube