1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpyKill Activity

HTTP SpyKill Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application SpyKill.

Additional Information

When the program is executed, it creates the following files:

* C:\Program Files\Spy-Kill\Deutsch.lng
* C:\Program Files\Spy-Kill\dir.txt
* C:\Program Files\Spy-Kill\English.lng
* C:\Program Files\Spy-Kill\Francais.lng
* C:\Program Files\Spy-Kill\Reference.dat
* C:\Program Files\Spy-Kill\SpyKill.chm
* C:\Program Files\Spy-Kill\SpyKill.dll
* C:\Program Files\Spy-Kill\SpyKill.exe
* C:\Program Files\Spy-Kill\SpyKill.ini
* C:\Program Files\Spy-Kill\unins000.dat
* C:\Program Files\Spy-Kill\unins000.exe
* C:\Documents and Settings\Administrator\Desktop\SpyKill.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Spy-Kill
* C:\Documents and Settings\All Users\Start Menu\Programs\Spy-Kill\SpyKill Help Manual.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Spy-Kill\SpyKill.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Spy-Kill\Uninstall SpyKill.lnk



Next, the program creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spy-Kill_is1

The program then runs a false malware scan and reports a number of false positives. It then requests the user to purchase the application so that the false infections can be cleaned.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube