Friday, March 13, 2009

Spylocked adware

(aka Adware.Spylocked, Adware.SpywareLock.A, Adware/Spylocked )

[Description]

This is an Adware program that is designed to show fake messages in order to trick the user in downloading certain programs

When it is executed the malware will create the following registry keys:

HKCR\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, DisplayName
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
In order to run at startup, the spylocked adware uses two registry keys:
The SharedTaskScheduler and ShellServiceObjectDelayLoad which is used to load the dll automatically by Explorer.exe
when the computer starts.

It drops a file named rcohty.dll to %WINDIR%\System32 folder.

When the dll is loaded by rundll32 it will do the following:
It verify the existance of the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked 3.5

If it is present then it will get the value of DisplayIcon and it will execute it.

If it's not present, the dll will show a flashing icon in the system tray and a fake warning message:
"System has detected a number of active spyware applications that may impact the performance of your computer.
Click the icon to get rid of unwanted spyware by downloading an up to date antispyware solution."
If a user click on the icon then a new internet explorer window appeares and a connection is made to:
http://www.spylocked.com


[Clean]

1. Terminate the rundll32.exe process
2. Delete the %WINDIR%\System32\rcohty.dll file
3. Open regedit and delete the following keys

HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)