1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP BPSpyware Activity

HTTP BPSpyware Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application TheSpywareDetective.

Additional Information

When the program is executed, it creates the following folders:

* C:\Documents and Settings\All Users\Start Menu\Programs\BulletProofSoft.com
* C:\Documents and Settings\All Users\Start Menu\Programs\BulletProofSoft.com\BPS Spyware Remover
* %ProgramFiles%\BulletProofSoft.com
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover



Next, the program drops the following files:

* %UserProfile%\Desktop\BPS Spyware Remover.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\BulletProofSoft.com\BPS Spyware Remover\BPS Spyware-Adware Remover.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\BulletProofSoft.com\BPS Spyware Remover\Help.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\BulletProofSoft.com\BPS Spyware Remover\Uninstall.lnk
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Box.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Core.dll
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DataBase.ini
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DB.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DB1.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DB2.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DB3.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DB4.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\DB5.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\English.inf
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\English.jpg
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Espanol.inf
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Espanol.jpg
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Francais.inf
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Francais.jpg
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\guard.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Help.chm
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\home.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\hosts
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Italiano.inf
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Italiano.jpg
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Mask.skn
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Purchase.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Scan Session.txt
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\scanning.bps
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\Splash.spl
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\unins000.dat
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\unins000.exe
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\update.cli
* %ProgramFiles%\BulletProofSoft.com\BPS Spyware Remover\update.exe



The program may also create some temporary files.

Next, the program creates the following registry subkeys:
HKEY_ALL_USERS\Software\BPS Security Console Toolbar
HKEY_ALL_USERS\Software\BPS Spyware Remover
HKEY_CLASSES_ROOT\CLSID\{4222FB6A-87F1-4867-8639-3B07B79B2EA2}
HKEY_CLASSES_ROOT\CLSID\{509F840C-8FBE-4B39-8135-7AE4F77211BE}
HKEY_CLASSES_ROOT\CLSID\{7E0EA78D-E2BD-4DC4-8139-3C80FEA5388C}
HKEY_CLASSES_ROOT\CLSID\{921064A0-DA49-40B6-B8CE-0E9F3C925E2D}
HKEY_CLASSES_ROOT\CLSID\{B46BB0D4-73BC-426F-822D-06CF4D5D5AE9}
HKEY_CLASSES_ROOT\CLSID\{C27A930F-7BF8-4C9C-96DB-2A226F41EA12}
HKEY_CLASSES_ROOT\CLSID\{CCAF88BD-430E-4735-84DA-87B2BCA2420E}
HKEY_CLASSES_ROOT\CLSID\{DE9BE0B6-6282-45C1-89E0-6DC449033B23}
HKEY_CLASSES_ROOT\CLSID\{F01F5B97-4493-47C7-881E-17C065B899EC}
HKEY_CLASSES_ROOT\Core.Backup
HKEY_CLASSES_ROOT\Core.Error
HKEY_CLASSES_ROOT\Core.Loading
HKEY_CLASSES_ROOT\Core.Remove
HKEY_CLASSES_ROOT\Core.Scan
HKEY_CLASSES_ROOT\Core.Shield
HKEY_CLASSES_ROOT\Core.ThreadControl
HKEY_CLASSES_ROOT\Core.ThreadLaunch
HKEY_CLASSES_ROOT\Core.Worker
HKEY_CLASSES_ROOT\Interface\{038A85EB-4A64-455B-A2EA-1BA5EE65BB05}
HKEY_CLASSES_ROOT\Interface\{04E67B90-AE31-4BFB-897B-E64CBCC2E22F}
HKEY_CLASSES_ROOT\Interface\{0D63440E-99EE-4A34-9012-D499DA707D41}
HKEY_CLASSES_ROOT\Interface\{1038A7DB-1F5D-4CE2-8C4F-B76A51F8C038}
HKEY_CLASSES_ROOT\Interface\{16ED6B69-D19B-4B4D-84B7-694901EA5464}
HKEY_CLASSES_ROOT\Interface\{5C88CBC4-1430-44A3-B9F7-9C06A10EE886}
HKEY_CLASSES_ROOT\Interface\{624B3631-DA1B-4A79-A669-55FBCC1F3962}
HKEY_CLASSES_ROOT\Interface\{6D6F0F8A-0749-47ED-A144-9B12D5561035}
HKEY_CLASSES_ROOT\Interface\{7D2917B0-3D9B-4B12-921E-8C04913D7610}
HKEY_CLASSES_ROOT\Interface\{B842E321-726E-45DC-A56B-2CFCE0FC603B}
HKEY_CLASSES_ROOT\Interface\{C846D109-2BA5-4FD3-9266-0E3BCE739981}
HKEY_CLASSES_ROOT\TypeLib\{5466CEC7-55DE-4245-A6B6-CFA8CCCB89DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BPS Spyware Remover_is1

The program then gives exaggerated reports of threats on the computer. It then prompts the user to purchase a registered version of the software in order to remove the reported threats.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube