XBlock By Actiance - Home
Someone Spying on You? Fight Back!
Currently Notice: Undefined variable: incprefix in /data/www/xblock/product_show.php on line 123 25,860,543 Spy Software Busted!
Full Name:
Wareout
Type: Miscellaneous Security
Danger Level: 7
Category Description: These are usually anti-spyware or security software applications that use various forms of deception and/or unethical means or show a history of negligent false positives to goad the end user to make a purchase.

In some cases these applications maybe downloaded with some form of unwanted software at which point the rogue application is offered to the customer as a way to remove the unwanted software.
Official Description: WareOut claims: " ..is the Latest and Most Advanced Spyware Detection and Removal application on the Internet. We will prevent anyone from "spying" on your Internet activites."

This site does not contain a privacy statement.
Comment: We monitored the process list while executing this program. It dropped several bogus entries in the Auto starter location of the registry then reported them as spyware. In fact, everything listed in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run was reported as spyware. The files referenced from the auto starting value simply did not exist on the test machines. Spywareguide also monitored this applications activity while it ran a spyware scan and the only activity was dropping bogus entries. Furthermore, when we deleted the software key in HKEY/LOCALMACHINE it was regenerated with a fresh new list of randomly generated Autostarting values.

When Spywareguide ran a scan with the application it picked up a list of everything
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and reported it as being spyware. The test machine was a fresh image. Further investigation via Google correlated this program with about:blank and or CWS variant. Process list attached.

55 19.30372603 WareOut.exe:556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\teqq32 SUCCESS "Trayz.exe"
56 19.30406574 WareOut.exe:556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\br0ken SUCCESS "syspanel.exe"
57 19.30441411 WareOut.exe:556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kargo SUCCESS "abrek.exe"
58 19.30444903 WareOut.exe:556 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F
59 19.30487590 WareOut.exe:556 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\jopplerg SUCCESS "install2.exe"
60 19.30528517 WareOut.exe:556 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XTermInit


This was the first drop in the registry:
O4 - HKCU\..\Run: [ERTYDF]
O4 - HKCU\..\Run: [JAguAr]
O4 - HKCU\..\Run: [NsCplTray]
O4 - HKCU\..\Run: [PrcIdle]
O4 - HKCU\..\Run: [utsgmon]
O4 - HKCU\..\Run: [TForm1]
O4 - HKCU\..\Run: [teqq32]
O4 - HKCU\..\Run: [br0ken]
O4 - HKCU\..\Run: [Kargo]

The second drop:
O4 - HKLM\..\Run: [RtlFindVal]
O4 - HKLM\..\Run: [uio]
O4 - HKLM\..\Run: [jopplerg]
O4 - HKLM\..\Run: [XTermInit]
O4 - HKLM\..\Run: [ParisM]
O4 - HKLM\..\Run: [ExchangeMaster]
   
Information URL: http://www.wareout.com/
Properties:

Back to the list of products removed by X-Cleaner

© Copyright 2003-2011, Actiance, Inc. All rights reserved.   Privacy Policy