Spyware.SafeSurfing

[Brad]

Behavior
Spyware.SafeSurfing monitors browsing habits.

Symptoms
The files are detected as Spyware.SafeSurfing.

Transmission
Spyware.SafeSurfing must be manually installed.

technical details
File names: netsync.exe; rsyncmon.dll

When the installer for Spyware.SafeSurfing is run, it does the following:

   1. Downloads and creates the following files from www.pops-stop.com:

          * %Windir%\netsync.exe
          * %Windir%\rsyncmon.dll

            Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   2. Creates the following registry keys:

      HKEY_CLASSES_ROOT\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} HKEY_CLASSES_ROOT\Interface\{57CB9B97-9FF9-4C87-88A4-56A867FFC95E}
      HKEY_CLASSES_ROOT\TypeLib\{227D1E33-EAD4-4ACE-BE32-4ACFAAD072DD}
      HKEY_CLASSES_ROOT\Var3.RsyncHlpr.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Netsync
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RsyncMon
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
      HKEY_LOCAL_MACHINE\Software\RSyncMon
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RSyncMon
      HKEY_LOCAL_MACHINE\Software\SafeSurfing

   3. Adds the value:

      "RSync" = "%WINDOWS%\netsync.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the Spyware runs when you start Windows.

   4. Adds the registry key:

      HKEY_LOCAL_MACHINE\System\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\netsync.exe

      so that the Spyware bypasses Microsoft Windows firewall.

   5. Sends browsing habit and system information to www.pops-stop.com.

REMOVAL INSTRUCTIONS
See: [url]http://securityresponse.symantec.com/avcenter/venc/data/spyware.safesurfing.html[/url]