Thread: Warning about SpinnerChief !!!

Hi,

I'm currently investigating the recently advertised program SpinnerChief. While I don't mean to accuse the author, I found something disturbing.

As with every untrusted program, I sandbox it (Sandboxie ftw) and check files are written and which registry changes are made. I made a fresh (empty) sandbox to test SpinnerChief, and the program appears to have tried to steal cookies for sites such as paypal, twitter, google, gmail, etc.

Note I'm not saying that the author is a hacker. At this point I'm not sure what unkosjer things (if anything) the program does.

I'll update this thread when I've found out more.

From Wiz:

To those who have downloaded and used the SpinnerChief application, I STRONGLY urge you to download, install, and run the following applications after you have removed SpinnerChief from your computer.

1) Hitman Pro (Free to try in full featured mode for 30 days)
Download below:

Code:

http://www.surfright.nl/en/hitmanpro

2) Malwarebytes (Free Version)
Download below:

Code:

http://www.malwarebytes.org/

3) CCleaner (Free Cookie Cleaner Application)
Download below:

Code:

http://www.piriform.com/ccleaner/download

UPDATE: Friday - September 3 - 2010:

For those of you who are just now reading this thread, you may disregard much of the information on the first 4 pages of this thread. Things are starting to get sorted out. Remain calm and do not get over-worried. We are working thing out as I speak. - "Wiz"

Whoa!

I put that thread on hold and we're investigating the matter.

If you want to help out checking the program's footprint, I'll borrow you my sandboxie license key.

Definitely would like to know this as I was going to try this program shortly. Looking forward for the update.

To All:

You have my permission to bump this thread for awhile if you see that
it is moving too far down the list. Everyone needs to be aware of this!

It is currently being checked out by one of our savvy members.

"Wiz"

Thanks for the heads up. I downloaded this but have not installed it yet.

Thanks for the heads up omgnames. This guy is spreading this around at other forums also, which kind of leads me to question his motives for releasing this for free. Would love to see him post an explanation here.

Geez.. I hope not I'm running scans on my computer right now!

I lack a proper registry tool, but the difference (in strings) is as follows:
(the string below are added after running the tool. Maybe someone more educated about the windows registry can comment)

Code:

> Cach
> Micr
> Wind
> {073
> Curr
> MountPoints2
> BitB
> Brow
> Moun
> {073d9fb8-3ed6-11de-810c-806e6f6e6963}
> _CommentFromDesktopINI
> Internet Settings
> Expl
> Inte
> ZoneMap
> Internet Settings
> Expl
> Inte
> ZoneMap
> UNCAsIntranet
> AutoDetect
> Tracing
> COM3`
> Trac
> Wind
> wind
> SpinnerChief_RASAPI32
> EnableFileTracing
> EnableConsoleTracing
> FileTracingMask
> ConsoleTracingMask
> Cach
> MaxFileSize
> FileDirectory
> SpinnerChief_RASMANCS
> EnableFileTracing
> EnableConsoleTracing
> DOMS
> Cook
> Intehbin
> FileTracingMask
> ConsoleTracingMask
> MaxFileSize
> FileDirectory
> Connections
> Connections
> Microsoft
> Windows
> CurrentVersion
> Internet Settings
> GDIPlus
> GDIP
> Wind
> Update_RASAPI32
> Spin
> Spin
> Upda
> Upda
> EnableFileTracing
> EnableConsoleTracing
> FileTracingMask
> ConsoleTracingMask
> Cont
> Cook
> MaxFileSize
> FileDirectory
> Update_RASMANCS
> EnableFileTracing
> EnableConsoleTracing
> FileTracingMask
> ConsoleTracingMask
> MaxFileSize
> FileDirectory
> Conn
> Zone
> Cache
> Conn8
> Zone 0
> Zone
> Cache
> Content
> Content
> Cookies
> Cookies
> History
> Cont
> Cook
> Exte
> Hist
> History
> Cont0*
> Cook
> Hist
> Extensible Cache
> DOMStore
> feedplat
> iecompat
> edProxyEnable
> ietl
> ietld
> PrivacIE:
> DOMS,
> feed
> ieco
> ietlp-
> Priv
> User
> UserData
> SavedLegacySettings
> hbin
> Zones