Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

SpywareStrike

SpywareStrike

Updated:
13 February 2007
Risk Impact:
Medium
File Names:
ss_setup.exe spywarestrike.exe
Systems Affected:
Windows

Behavior


SpywareStrike is a Security Risk that may give exaggerated reports of threats on the compromised computer. The risk then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Symptoms


Your Symantec program detects SpywareStrike.

Behavior


This security risk maybe manually downloaded and installed or installed maliciously by another threat.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 09 January 2006
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 11 January 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When SpywareStrike is executed, it performs the following actions:
  1. Creates the following folder:

    %ProgramFiles%\SpywareStrike

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareStrike 2.5.lnk
    • %UserProfile%\Desktop\SpywareStrike.lnk
    • %UserProfile%\Start Menu\Programs\SpywareStrike
    • %UserProfile%\Start Menu\Programs\SpywareStrike\SpywareStrike 2.5 Website.lnk
    • %UserProfile%\Start Menu\Programs\SpywareStrike\SpywareStrike 2.5.lnk
    • %UserProfile%\Start Menu\Programs\SpywareStrike\Uninstall SpywareStrike 2.5.lnk
    • %UserProfile%\Start Menu\SpywareStrike 2.5.lnk
    • %ProgramFiles%\SpywareStrike\Lang\English.ini
    • %ProgramFiles%\SpywareStrike\Quarantine
    • %ProgramFiles%\SpywareStrike\SpywareStrike.exe
    • %ProgramFiles%\SpywareStrike\SpywareStrike.url
    • %ProgramFiles%\SpywareStrike\msvcp71.dll
    • %ProgramFiles%\SpywareStrike\msvcr71.dll
    • %ProgramFiles%\SpywareStrike\signatures.ref
    • %ProgramFiles%\SpywareStrike\uninst.exe

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\SpywareStrike.EXE
    HKEY_CLASSES_ROOT\TypeLib\{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareStrike.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStrike
    HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStrike
    HKEY_CLASSES_ROOT\Interface\{2C15CDEA-3EF4-4405-90B0-19A1389B36ED}
    HKEY_CLASSES_ROOT\Interface\{3115A433-3FA0-483B-AB01-2A61C951FE58}
    HKEY_CLASSES_ROOT\Interface\{51FEFA9C-1D5A-41C4-81FE-8C0FBE9254F0}
    HKEY_CLASSES_ROOT\Interface\{5CCC8D01-9F75-4F07-9ACF-DEB314176C79}
    HKEY_CLASSES_ROOT\Interface\{5E7BF614-960B-4A1F-9236-9EC01AC4C5E2}
    HKEY_CLASSES_ROOT\Interface\{66F0AC1C-DED5-4965-9E31-39788DF1B264}
    HKEY_CLASSES_ROOT\Interface\{849E056A-D67A-431E-9370-2275F26D39B5}
    HKEY_CLASSES_ROOT\Interface\{8B7AFBFD-631C-45BA-9145-F059EB58DD73}
    HKEY_CLASSES_ROOT\Interface\{AFEB8519-0B8B-4023-8C15-FFB17D5225F9}
    HKEY_CLASSES_ROOT\Interface\{BA9CC151-4581-438E-94AF-4C703201B7CA}
    HKEY_CLASSES_ROOT\Interface\{BC74C336-FF2C-40C9-AD4E-3772C208406B}
    HKEY_CLASSES_ROOT\Interface\{BDF00F24-A571-4392-95EC-04FDFF82A82C}
    HKEY_CLASSES_ROOT\Interface\{C4E953E6-770E-4F59-A5E3-43E9F0D682E2}
    HKEY_CLASSES_ROOT\Interface\{E0105E7C-D0C4-4DEA-AA21-B02F2960ECAF}
    HKEY_CLASSES_ROOT\Interface\{ED39CB7C-1BF6-429B-A275-F183B4A3EFCB}
    HKEY_CLASSES_ROOT\Interface\{F23AA637-31D5-4526-B5C6-9FF89E16202C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5}

  4. Adds the value:

    "SpywareStrike" = "%ProgramFiles%\SpywareStrike\SpywareStrike.exe /h"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk is executed every time Windows starts.

  5. Adds the values:

    "{0A4AF3E9A644EE5C8}" = "56 3E A8 0E 0B A2 A7 A6 ..."
    "{IA4AF3E9A644EE5C8}" = "06 00 00 00"
    "{K7C0DB872A3F777C0}" = "1F 0A C9 7F FC 08 1F FF ..."

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

    Note: The above registry entires may be used by legitimate programs.


The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Update the definitions.
  2. Uninstall the security risk.
  3. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the security risk
This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:
  1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).

  2. In the Control Panel window, double-click Add/Remove Programs.

    Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.

  3. Click SpywareStrike 2.5

    Note:
    You may need to use the scroll bar to view the whole list.

  4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

    Note: After running the Add/Remove programs applet, all the files may have been removed. You will want to run a full system scan to ensure that this is the case. However, it is possible that no files will be detected after using Add/Remove programs.
3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  3. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "SpywareStrike" = "%ProgramFiles%\SpywareStrike\SpywareStrike.exe /h"

  5. Navigate to and delete the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SpywareStrike.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{70F17C8C-1744-41B6-9D07-575DB448DCC5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F25878F-F8AE-5D5D-2BB7-31B5F803290D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C15CDEA-3EF4-4405-90B0-19A1389B36ED}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3115A433-3FA0-483B-AB01-2A61C951FE58}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{51FEFA9C-1D5A-41C4-81FE-8C0FBE9254F0}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5CCC8D01-9F75-4F07-9ACF-DEB314176C79}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5E7BF614-960B-4A1F-9236-9EC01AC4C5E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{66F0AC1C-DED5-4965-9E31-39788DF1B264}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{849E056A-D67A-431E-9370-2275F26D39B5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B7AFBFD-631C-45BA-9145-F059EB58DD73}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AFEB8519-0B8B-4023-8C15-FFB17D5225F9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA9CC151-4581-438E-94AF-4C703201B7CA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BC74C336-FF2C-40C9-AD4E-3772C208406B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDF00F24-A571-4392-95EC-04FDFF82A82C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C4E953E6-770E-4F59-A5E3-43E9F0D682E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0105E7C-D0C4-4DEA-AA21-B02F2960ECAF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED39CB7C-1BF6-429B-A275-F183B4A3EFCB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F23AA637-31D5-4526-B5C6-9FF89E16202C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1A4C0C9-DBD0-493A-93F8-0B05EDC96224}

  6. Exit the Registry Editor.