1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SpywareScrapper Activity

HTTP SpywareScrapper Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application SpywareScrapper.

Additional Information

SpywareScrapper is a misleading application that may give exaggerated reports of potential risks on a users computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported risks.

The misleading application must be manually executed. When the file is executed, it displays the following graphic user interface (GUI):

The misleading application reports a false positive on a Direct3D registry key as being Spyware or Adware.

The misleading application then prompts the user to pay for a registered version in order to remove the reported threat.


Installation
The risk creates the following files:
%UserProfile%\Application Data\Microsoft\Installer\{2004E9C1-92E4-47A9-B4CC-2253AE8E437C}
%UserProfile%\Application Data\AntiSpywareDAT\BlockedCookies.dat
%UserProfile%\Application Data\AntiSpywareDAT\date.dat
%UserProfile%\Application Data\AntiSpywareDAT\DirectoryDefinition.dat
%UserProfile%\Application Data\AntiSpywareDAT\ENoSignature.dat
%UserProfile%\Application Data\AntiSpywareDAT\ExeDefinition.dat
%UserProfile%\Application Data\AntiSpywareDAT\FileDefinition.dat
%UserProfile%\Application Data\AntiSpywareDAT\Quarantine\Quarantined files will be placed here.txt
%UserProfile%\Application Data\AntiSpywareDAT\RegistryDefinition.dat
%UserProfile%\Application Data\AntiSpywareDAT\Safety.dat
%UserProfile%\Application Data\AntiSpywareDAT\Scan_Log.txt
%UserProfile%\Desktop\Spyware Scrapper Demo.lnk
%UserProfile%\Start Menu\Programs\SpywareScrapper.com Software\Spyware Scrapper Demo\Readme-Help.lnk
%UserProfile%\Start Menu\Programs\SpywareScrapper.com Software\Spyware Scrapper Demo\Spyware Scrapper Demo.lnk
%UserProfile%\Start Menu\Programs\SpywareScrapper.com Software\Spyware Scrapper Demo\SpywareScrapper.com.url
%ProgramFiles%\Spyware Scrapper Demo\help.chm
%ProgramFiles%\Spyware Scrapper Demo\Localization.xml
%ProgramFiles%\Spyware Scrapper Demo\riched32.dll
%ProgramFiles%\Spyware Scrapper Demo\scan.txt
%ProgramFiles%\Spyware Scrapper Demo\SpywareScrapper.com.url
%ProgramFiles%\Spyware Scrapper Demo\SpywareScrapperDemo.exe

The risk also creates the following registry subkeys:
HKEY_CURRENT_USERS\Software\VB and VBA Program Settings\Spyware Scrapper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\Modules\5F6754512A21595C5F512E21512A215CSpyw12a21r12e21Scr12a21pp12e21rSpyw12a21r12e21Scr12a21pp12e21r.c12o21m31
HKEY_LOCAL_MACHINE\SOFTWARE\SpywareScrapper.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Spyware Scrapper Demo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2004E9C1-92E4-47A9-B4CC-2253AE8E437C}

Similar security risks

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube