Archive for July, 2006

SpyHeal. Possible successor to SpywareQuake?

July 9, 2006 at 1:11 pm · Filed under anti-spyware, spyheal

On July 7th we were tipped off by one of our members about a new rogue anti-spyware application called SpyHeal was starting to be see on some of the more dubious anti-spyware product pages. Though we are not the first to report on the new rogue anti-spyware application SpyHeal (SunBelt Blog already blogged about it) there is strong evidence that this may be the successor of the SpywareQuake program that has had high visibility. For those who do not know what SpywareQuake is, SpywareQuake is a widely distributed rogue anti-spyware application that uses Trojans and fake security alerts as a scare tactic to make you purchase their full commercial software.

spyheal2.jpg
SpyHeal Screen

There are a few items that make us believe that these applications are tied together. Some of these are:

  • The domains are registered using the registrar ESTDomains. Though this in itself is not that suspicious, you can see from the Spyware Warrior blog entry that ESTdomains is tied to ESThost and other domains/ISPs that are known for hosting malware distribution sites.
  • The commands in the Registry that start all of these variants are in the exact same format: O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
    O4 - HKLM\..\Run: [SpyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
    O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
    O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
    O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
    O4 - HKLM\..\Run: [Malware-Wipe] C:\Program Files\Malware-Wipe\Malware-Wipe.exe /h

    Notice the /h at the end of each command?
  • There is 1 server for both SpyHeal.com and SpywareQuake colocated at the same ISPs: inhoster
    intercafe

    Coincidental or maybe not? If I was a company continuously rolling out products, and making a lot of money on it, I would stick to a solution that I know works.
  • There has been a steadily decreasing amount of Trojan installers for SpywareQuake being released. Maybe they are ramping up to start a campaign with a new product?
  • The additional information given at the bottom of the SunbeltBLOG entry linked above.

Though all this information by itself may not be conclusive evidence that these programs are related, or that it’s a new campaign that they are about to start, taken together it does add more credence to this possibility.

I have put a very basic guide (link below) on removing the SpyHeal program for those that currently have it installed. As far as we can tell, there are no Trojans that are currently installing it via the fake taskbar security alerts. If you do run into one of these variants and it is difficult to remove, then please contact me and I will help you remove it and at the same time update the guide for the new Trojans that may be installing it.

How to remove SpyHeal (Removal Instructions)

Tags: No Tags

Comments (1)


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides


© 2003-2008 All Rights Reserved Bleeping Computer LLC.

Featured Microsoft Expert Zone Community