Home Malware Programs Adware Spyware Quake

Spyware Quake

Posted: May 30, 2006

Spyware Quake is a trojan that displays an icon in the system tray. Spyware Quake looks like a legitimate application for removal of spyware, but it's installed by a trojan in an attempt to trick you into buying it. The trojan is able to change the Internet Explorer default home page and redirect the web browser to malicious web sites. Spyware Quake will also pop-up fake alerts that resemble system alerts in another attempt to get you to buy it.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 blacklist.txt
    2 dfrgsrv.exe
    3 english.ini
    4 hp[X].tmp
    5 ld[X].tmp
    6 mssearchnet.exe
    7 msvcp71.dll
    8 msvcr71.dll
    9 nvctrl.exe
    10 ref.dat
    11 spywarequake.exe
    12 spywarequake.url
    13 spywarequake2.0.lnk
    14 spywarequake2.0website.lnk
    15 spywarequakeinstaller.exe
    16 sq.ini
    17 stickrep.dll
    18 uninst.exe
    19 uninstallspywarequake2.0.lnk

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake\Language:"1033"HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake\refid:"1"KEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\HKEY..\..\..\..{RegistryKeys}9283DAC1-43F5-4580-BF86-841F22AF233CurrentVersion\AppPaths\SpywareQuake.exe\:"%programfiles%\SpywareQuake\SpywareQuake.exe"CurrentVersion\Run\SpywareQuake:"%programfiles%\SpywareQuake\SpywareQuake.exe/h"CurrentVersion\Uninstall\SpywareQuake\DisplayIcon:"%programfiles%\SpywareQuake\SpywareQuake.exe"CurrentVersion\Uninstall\SpywareQuake\DisplayName:"SpywareQuake2.0"CurrentVersion\Uninstall\SpywareQuake\DisplayVersion:"2.0"CurrentVersion\Uninstall\SpywareQuake\NSIS:StartMenuDir:"SpywareQuake"CurrentVersion\Uninstall\SpywareQuake\Publisher:"SpywareQuake.com"CurrentVersion\Uninstall\SpywareQuake\URLInfoAbout:"http://www.spywarequake.com"CurrentVersion\Uninstall\SpywareQuake\UninstallString:"%programfiles%\SpywareQuake\uninst.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpywareQuakeHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}SpywareQuakeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  • The following CLSID's were detected:
    HKEY..\..\{CLSID Path}FC4EDF66-0547-4F1A-AE96-7CFCAD711C90F459EADB-5903-48D5-864C-2B7B46AB1424E3DF91F3-F24F-441E-9001-D61F36024322DD90F677-D205-4F70-9014-659614AABCB2C4EEDC19-992D-409A-B323-ED57D511AFA5BEC8A83D-01D4-4F15-B8A9-4B4AB24253A7BA397E39-F67F-423F-BC6E-65939450093AAE90CAFC-09D4-47F0-9E11-CE621C424F0886C7E6C3-EC47-44E5-AA08-EE0D0A25895F76D06077-D5D3-40CA-B32D-6A67A7FF3F065D42DDF4-81EB-4668-9951-819A1D5BEFC85790B963-23C5-43C1-BCF5-01C9B5A3E44E43CFEFBE-8AE4-400E-BBE4-A2B61BB140FB23D627FE-3F02-44CF-9EE1-7B9E44BD9E13189518DF-7EBA-4D31-A7E1-73B5BB60E8D54DA4616D-7E6E-4FD9-A2D5-B6C535733E22661173EE-FA31-4769-97D4-B556B5D09BDAE2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D

Related Posts

Loading...