Warning about SpinnerChief !!!

**blackhit** · 09-05-2010, 04:21 AM

Please PM me the names of the forums if you recall which ones they are.
If we receive a positive, there's no need to leave them in the dark about this situation.

**WizGizmo** · 09-05-2010, 04:23 AM

Yes . . . Better safe than sorry.

PS: I have temporarily made this thread a Sticky.

**fun4uoc** · 09-05-2010, 04:26 AM

ok, give me a few minutes

**dating101** · 09-05-2010, 04:31 AM

Awesome catch. Thanks for sharing!

**trafficdeal** · 09-05-2010, 04:32 AM

I just looked at the cookies in Firefox, the browser I use & do not see them there? I can't find the AppData/Microsoft/Cookies/ folder.

Is making sure they aren't listed in the browser cookies file enough?

Thanks!

**BENNY8877** · 09-05-2010, 04:33 AM

I have to say I think it is kind of weird that his software is actually really good if he was trying to infect our computers; why would he go to the trouble?

Anyway I ran Hitman Pro: no infection
SpyBot: nothing unusual

But when I tried to install Spinner Chief I don't think it fully installed.

**simmo** · 09-05-2010, 04:38 AM

I'm a .NET developer so I tried using a reverse engineering tool to take a peek at the source code to see if I could see anything untoward going on it there. Unfortunately it's been obfuscated which means I'm not getting anything useful back. One thing I am left wondering though is although protecting your application from being reverse engineered is good practice for a paid product why on earth would you need to do it for something you're giving away for free?

**omgnames** · 09-05-2010, 04:40 AM

I think the file footprint may be ordinary explorer behaviour. Remains the question why a window is created and instantly hidden, and what the excess registry entries do. The following are unique to SpinnerChief:

Code:

> > Sandbox_Riedel_Spinner (sandbox container name)
> > Micr
> > Wind
> > Curr
> > MountPoints2
> > BitB
> > Brow
> > Moun
> > {073d9fb8-3ed6-11de-810c-806e6f6e6963}
> > _CommentFromDesktopINI
> > Expl
> > Inte
> > Expl
> > Inte
> > Tracing
> > COM3`
> > Trac
> > Wind
> > wind
> > SpinnerChief_RASAPI32
> > EnableFileTracing
> > EnableConsoleTracing
> > FileTracingMask
> > ConsoleTracingMask
> > Cach
> > MaxFileSize
> > FileDirectory
> > SpinnerChief_RASMANCS
> > EnableFileTracing
> > EnableConsoleTracing
> > DOMS
> > Cook
> > Intehbin
> > FileTracingMask
> > ConsoleTracingMask
> > MaxFileSize
> > FileDirectory
> > Connections
> > Connections
> > Microsoft
> > Windows
> > CurrentVersion
> > Internet Settings
> > GDIPlus
> > GDIP
> > Wind
> > Update_RASAPI32
> > Spin
> > Spin
> > Upda
> > Upda
> > EnableFileTracing
> > EnableConsoleTracing
> > FileTracingMask
> > ConsoleTracingMask
> > Cont
> > Cook
> > MaxFileSize
> > FileDirectory
> > Update_RASMANCS
> > EnableFileTracing
> > EnableConsoleTracing
> > FileTracingMask
> > ConsoleTracingMask
> > MaxFileSize
> > FileDirectory
> > Conn
> > Conn8
> > Zone 0
> > Zone
> > Cont
> > Cook
> > Exte
> > Cont0*
> > edProxyEnable
> > ietl
> > DOMS,
> > feed
> > ietlp-
> > Zones

Can someone figure out exactly what registry queries are performed?

**BigGuy** · 09-05-2010, 04:45 AM

Excellent work omgnames. Thanks for the hint!

**liquid5170** · 09-05-2010, 04:46 AM

I have downloaded and ran the program under free mode as well... as of right now i'm glad i had a chance to come to bhw today as it's almost time for a good labor day weekend.

until we figure out whats going on with this program, i think it's safe to say not to go to any important websites.

Thread: Warning about SpinnerChief !!!

LinkBack

Thread Tools

Display

Bookmarks

Bookmarks

Posting Permissions