FANDOM


SpywareQuake is a fake anti-malware program for Microsoft Windows. It is commonly installed by Trojan Horse programs, but can be manually installed. It is associated with SpyFalcon and SpyAxe.

Payload

Transmission

This risk is commonly downloaded by Trojans, but may also be manually installed.

Infection

When SpywareQuake is installed, it hijacks the home page and redirects the web browser to SpywareQuake's website, displays a menacing blue warning screen suggesting "the system has been stopped to protect you from Spyware" to trick you into paying money for its software, and jeopardizes your privacy and security online by installing trojans and other spyware. SpywareQuake creates the following files:

  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SpywareQuake 2.0.lnk
  • %UserProfile%\Desktop\SpywareQuake.lnk
  • %UserProfile%\Local Settings\Temp\SQLanguage.ini
  • %UserProfile%\Start Menu\Programs\SpywareQuake\SpywareQuake 2.0 Website.lnk
  • %UserProfile%\Start Menu\Programs\SpywareQuake\SpywareQuake 2.0.lnk
  • %UserProfile%\Start Menu\Programs\SpywareQuake\Uninstall SpywareQuake 2.0.lnk
  • %UserProfile%\Start Menu\SpywareQuake 2.0.lnk
  • %ProgramFiles%\SpywareQuake\blacklist.txt
  • %ProgramFiles%\SpywareQuake\Lang\English.ini
  • %ProgramFiles%\SpywareQuake\msvcp71.dll
  • %ProgramFiles%\SpywareQuake\msvcr71.dll
  • %ProgramFiles%\SpywareQuake\ref.dat
  • %ProgramFiles%\SpywareQuake\SpywareQuake.exe
  • %ProgramFiles%\SpywareQuake\SpywareQuake.url
  • %ProgramFiles%\SpywareQuake\uninst.exe
  • %ProgramFiles%\SpywareQuake\Lang\*.*
  • %ProgramFiles%\SpywareQuake\Dirs\*.*
  • %ProgramFiles%\SpywareQuake\Quarantine\*.*

It then creates the following registry subkeys:

  • HKEY_CLASSES_ROOT\CLSID\{5B55C4E3-C179-BA0B-B4FD-F2DB862D6202}
  • HKEY_CLASSES_ROOT\Interface\{189518DF-7EBA-4D31-A7E1-73B5BB60E8D5}
  • HKEY_CLASSES_ROOT\Interface\{23D627FE-3F02-44CF-9EE1-7B9E44BD9E13}
  • HKEY_CLASSES_ROOT\Interface\{43CFEFBE-8AE4-400E-BBE4-A2B61BB140FB}
  • HKEY_CLASSES_ROOT\Interface\{5790B963-23C5-43C1-BCF5-01C9B5A3E44E}
  • HKEY_CLASSES_ROOT\Interface\{5D42DDF4-81EB-4668-9951-819A1D5BEFC8}
  • HKEY_CLASSES_ROOT\Interface\{76D06077-D5D3-40CA-B32D-6A67A7FF3F06}
  • HKEY_CLASSES_ROOT\Interface\{86C7E6C3-EC47-44E5-AA08-EE0D0A25895F}
  • HKEY_CLASSES_ROOT\Interface\{9283DAC1-43F5-4580-BF86-841F22AF2335}
  • HKEY_CLASSES_ROOT\Interface\{AE90CAFC-09D4-47F0-9E11-CE621C424F08}
  • HKEY_CLASSES_ROOT\Interface\{BA397E39-F67F-423F-BC6E-65939450093A}
  • HKEY_CLASSES_ROOT\Interface\{BEC8A83D-01D4-4F15-B8A9-4B4AB24253A7}
  • HKEY_CLASSES_ROOT\Interface\{C4EEDC19-992D-409A-B323-ED57D511AFA5}
  • HKEY_CLASSES_ROOT\Interface\{DD90F677-D205-4F70-9014-659614AABCB2}
  • HKEY_CLASSES_ROOT\Interface\{E3DF91F3-F24F-441E-9001-D61F36024322}
  • HKEY_CLASSES_ROOT\Interface\{F459EADB-5903-48D5-864C-2B7B46AB1424}
  • HKEY_CLASSES_ROOT\Interface\{FC4EDF66-0547-4F1A-AE96-7CFCAD711C90}
  • HKEY_CLASSES_ROOT\TypeLib\{661173EE-FA31-4769-97D4-B556B5D09BDA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpywareQuake.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareQuake
  • HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuake

Then it adds the value:

  • "SpywareQuake" = "%ProgramFiles%\SpywareQuake\SpywareQuake.exe /h"
  • "Spyware Quake" = "%ProgramFiles%\SpywareQuake\SpywareQuake.exe /h"

To the registry subkey:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

So that it runs every time Windows starts.

Media

SpywareQuake viciously violating this victim's PC

SpywareQuake viciously violating this victim's PC

Community content is available under CC-BY-SA unless otherwise noted.