SpywareQuake - newest rogue, replacing SpyFalcon and SpyAxe
Since I first heard about SpywareQuake, late yesterday afternoon, less than 24 hours ago, I've seen dozens of complaints about it already. SpywareQuake is being installed without notice or consent, hijacks the desktop and pops up a warning from the system tray that the machine is infected with spyware. It scans and reports that it found spyware in the machine and then demands payment to remove the so-called spyware. You can see a screenshot of SpywareQuake at SunbeltBLOG here.
If you find this blog post and are wondering about SpywareQuake, whether you should buy it, the answer is NO. It's a rogue and a rip-off! It is installed by and with spyware and contains malware to prevent you from removing it. It's another variant of the SmitFraud infection.
Right now none of the antivirus or anti-spyware programs that I'm aware of will detect and remove SpywareQuake. The offending file that resists removal and causes reinfection appears to be C:\Windows\System32\stickrep.dll.
Several people in the anti-spyware community have posted tutorials on removing SpywareQuake. BleepingComputer.com tutorial here. Nick's Computer Security blog's SpyFalcon removal instructons have been updated to include SpywareQuake. One use commented that after following the instructions and renaming the file stickrep.dll to something else, he was rid of SpywareQuake.
Who is behind this rogue application? The domain whois information shows this:
Domain Name: SPYWAREQUAKE.COM
Registrant:
SafeSurf LLC
Kevin Gerad kevin.gerad (at) gmail.com
U-12 Gamma Commercial Complex # 47 Rizal Highway cor. Manila
Olongapo City
null,98101
PH
Tel. +201.6753332
Creation Date: 27-Nov-2005
Expiration Date: 27-Nov-2006
Domain servers in listed order:
dns2.spywarequake.info
dns1.spywarequake.info
Whois.sc is showing spywarequake.com as not active but dnsstuff.com is able to ping the domain. The IP address is 216.255.188.98, which belongs to InterCage (formerly known as Atrivo). More information about InterCage/Atrivo in my post about ISPs hosting spyware. Tracert to spywarequake.com and to spywarequake.info show the upstream provider as nLayer:
69.22.143.6 AS4436 AS-NLAYER ge1-2.hr1.sfo1.us.nlayer.net.
On a side note, I recently sent an email to InterCage's abuse reporting address, and to the owner, Emil Kacpersky, regarding blog comment spam to this blog and have not received any reply.
I'd recommend putting the domains spywarequake.com and spywarequake.info in the Internet Explorer restricted site zone, or blocking it in the hosts file or firewall, along with the IP address 216.255.188.98.