December 17th, 2005
SpyAxe anti-spyware installed by trojan
Supposed anti-spyware program SpyAxe is installed by a trojan named zlob.cy (aka Trojan-Downloader.Win32.Zlob) according to F-Secure. SpyAxe showed up on the scene about two months ago and has earned quite a name for itself. SpyAxe manages to appear on users’ desktops without any notice or consent, as seen here, with a warning that your computer is infected with spyware. F-Secure says:
SpyAxe is nice enough to detect the Trojan that downloads it, but it won’t disinfect it unless you pay for a SpyAxe license, $49.50 U.S. (plus a nonimal $2.95 transaction fee). I wouldn’t dare pay for a licensed copy to verify that removal is actually done, but I have my doubts.
F-Secure says this infection is growing rapidly:
[...] there seems to have recently been a huge spike in the distribution of Zlob. We found a way to see how many unique registration IDs have been handed out by the site Zlob registers with. Most of the day, there seemed to be about 1,000 new infections per hour, but now that the U.S. is waking up & powering on their computers, that number has risen to about 2,500 infections per hour.
Instructions for removing SpyAxe using a free tool called SmitRem written by anti-spyware community developer noahdfear can be found at bleepingcomputer.com. SmitRem removes the Trojan-Spy.HTML.Smitfraud.c malware infection and its variants, AntivirusGold, PSGuard Spyware Remover, SpySheriff, Spy Trooper, SpyAxe, and Security Toolbar. SmitRem has been downloaded 252,652 times according to the web page, an indication of how widespread this infection is. An example of a HijackThis log with SpyAxe and the Smitfraud infection can be seen here.
The SpyAxe website has a contacts page. If you’ve been a victim, consider letting them know how you feel about it. The website says the company is located in New Zealand, but the domain name spyaxe.com is registered to Sun Shine Ltd. with a Seattle address.
Domain Name: SPYAXE.COM
Registrant:
SunShine Ltd
David Taylor
187th Ave, 5
King County
Seattle
Washington,98101
US
Tel. +206.9543154
The site’s IP address 195.255.176.68 belongs to Netcathosting in the Ukraine, and the domain registrar is ESTdomains, which I believe is closely related to ESThost, a group known to host a large number of CoolWebSearch sites running exploits. ESThost is also closely related to a California ISP/hosting company Atrivo, also known to host a large number of CWS sites. Note the IP is currently blacklisted by Spamhaus. Four other domains reside on that IP address, almanah.biz, nospywaresoft.com, spyaxe.net and spyaxesupport.com. Links go to the whois lookup for the domain, not the domain itself.
No doubt SpyAxe will earn a top spot on Spyware Confidential’s top ten rogue anti-spyware list to be posted soon. See anti-spyware spread by spyware for information on apps very similar to SpyAxe.
