AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 02, 2008, 10:13:16 AM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4756 Members
Latest Member: Uobeley
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Spyware Alerts  |  Topic: Spyware.SearchPounder 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Spyware.SearchPounder  (Read 740 times)
Brad
SysAdmin
Tech Team
Hero Member
********
Offline Offline

Posts: 391



View Profile
Spyware.SearchPounder
« on: June 06, 2005, 01:22:04 AM »
Behavior
Spyware.SearchPounder sends keywords typed into HTML forms and popular Internet search engines to a remote server.

Symptoms
Your Symantec products detect the files as Spyware.SearchPounder

Transmission
This program can be manually installed or installed as part of other security risks.

technical details
File names: pounder.exe; sysmonnt.exe

When Spyware.SearchPounder is executed, it performs the following actions:

   1. May create the following files:

          * %System%\vbdata00.dat
          * %System%\sysmonnt.exe
          * %System%\msinet.ocx
          * %System%\unins000.exe
          * %System%\unins000.dat
          * %Windir%\unins000.dat
          * %Windir%\unins000.exe

            Notes:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

   2. Adds the value:

      "sysmonnt" = "%System%\sysmonnt.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the adware runs every time Windows starts.

   3. Creates the following registry keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Uninstall\System Monitor for Windows 98/NT/XP/2000/2003_is1
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
      \{48E59293-9880-11CF-9754-00AA00C00908}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
      \{48E59294-9880-11CF-9754-00AA00C00908}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
      \{48E59295-9880-11CF-9754-00AA00C00908}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
      \{48E59291-9880-11CF-9754-00AA00C00908}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
      \{48E59292-9880-11CF-9754-00AA00C00908}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
      \{48E59290-9880-11CF-9754-00AA00C00908}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet.1

   4. Sends keywords typed in HTML forms and popular search engines to its own server on the search.antarasystems.com domain.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.searchpounder.html
Logged
Mambo Hosting Resources
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Spyware Alerts  |  Topic: Spyware.SearchPounder « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!