SpyAxe

From Wikipedia, the free encyclopedia

You have new messages (last change).
SpyAxe
Common name SpyAxe
Technical name Adware.Spyaxe
Aliases Adware-spyaxe
Family AntiVirus Gold
Classification Adware
-Type Microsoft Windows
-Subtype
Isolation First isolation date not known.
-Point of Isolation First isolation unknown.
-Point of Origin Cyprus
Author(s) SpyAxe
Identified as "badware" by Stopbadware
Identified as "badware" by Stopbadware

SpyAxe is a malicious software program (more commonly known as malware) that infects computers by pretending to be an antispyware application,[1] and is a member of the AntiVirus Gold family.[2]

Contents

[edit] Infection

A trojan already on the computer (usually the Zlob trojan) may display an icon in the system tray that has a constant popup saying the computer has been infected, which, when clicked, downloads that then installs SpyAxe.[3] Once SpyAxe is installed any malware it detects (including the trojan that installed it) requires the user to go to SpyAxe's website and purchase the software before it will allow removal.[4] Credit card payments go through an online Credit Card processing centre called PSBill,[5] (based in Gibraltar).[6]

[edit] Symptoms

It may attempt to change the computer's wallpaper/desktop and permanently change Internet Explorer's homepage, even though a different one has been selected in "Tools - Internet Options - Home Page." This is done via group policy causing it to appear as if the network's administrator changed the home page.

Amongst others, SpyAxe installs the following:

Processes

  • mscornet.exe
  • mssearchnet.exe
  • nvctrl.exe
  • spyaxe.exe (multiple instances)

DLLs

  • ioctrl.dll
  • svchosts.dll
  • webconm.dll
  • wbeconm.dll

Directories

  • C:\Program Files\SpyAxe
  • C:\Windows\System\1024
  • C:\Windows\System32\1024
  • C:\Winnt\System32\1024

[edit] Known Variants

There are several variants of this adware. In early 2006 SpyAxe has been distributed under a variety of names including SpywareStrike (identical to SpyAxe), SpySheriff, SpyFalcon, SpywareQuake, and MalwareWipe and many other pseudonyms.

[edit] Removal

SpyAxeFix, later renamed to smitRem was the first tool designed specifically for the removal of Smitfraud variants. Development of this tool has halted, and SmitFraudFix is currently the most popular tool used to remove this infection.

There are excellent step by step removal instructions here.

[edit] References

  1. ^ SpywareWarrior's Rogue/Suspect malware list - SpyAxe is listed because of "desktop hijacking, aggressive/deceptive advertising" (page accessed 19 May 2006).
  2. ^ Webroot's Spyware Education Center - Rogue Anti-Spyware Programs: lists SpyAxe (and it's family) as one of the top 3 threats (page accessed 23 May 2006.
  3. ^ F-Secure's extended details on SpyAxe - (page accessed 19 May 2006).
  4. ^ Mcafee's classification of SpyAxe - (page accessed 19 May 2006).
  5. ^ SpyAxe online purchase page - (page accessed 19 May 2006).
  6. ^ www.psbill.biz - From address in copyright notice bottom-left of psbill.biz's homepage (page accessed 19 May 2006).

[edit] See also

[edit] External links

Wikibooks
Retrieved from "http://en.wikipedia.org../../../s/p/y/SpyAxe_4a06.html"