InsideChatSpy

Printer Friendly Page

Updated: July 20, 2007 10:53:29 AM

Type: Spyware

Risk Impact: High

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the program is executed, it creates the following folders:

C:\Documents and Settings\All Users\Application Data\ICS
C:\Documents and Settings\All Users\Application Data\ICS\Logs
C:\Documents and Settings\All Users\Application Data\ICS\Logs\AIM
C:\Documents and Settings\All Users\Application Data\ICS\Logs\ICQ
C:\Documents and Settings\All Users\Application Data\ICS\Logs\MSN
C:\Documents and Settings\All Users\Application Data\ICS\Logs\Skype
C:\Documents and Settings\All Users\Application Data\ICS\Logs\Users
C:\Documents and Settings\All Users\Application Data\ICS\Logs\Yahoo

It then creates the following files:

C:\Documents and Settings\All Users\Application Data\ICS\xcacls.exe
C:\Documents and Settings\All Users\Application Data\ICS\ICS.dll
C:\Documents and Settings\All Users\Application Data\ICS\ICS.exe
C:\Documents and Settings\All Users\Application Data\ICS\EML.exe
C:\Documents and Settings\All Users\Application Data\ICS\ICS.chm
C:\Documents and Settings\All Users\Application Data\ICS\ICSUninstaller.exe
C:\Documents and Settings\All Users\Application Data\ICS\Logs\AIMusers.usr
C:\Documents and Settings\All Users\Application Data\ICS\Logs\ICQusers.usr
C:\Documents and Settings\All Users\Application Data\ICS\Logs\ICSAllDayICSMessenger.xsl
C:\Documents and Settings\All Users\Application Data\ICS\Logs\ICSErrors.txt
C:\Documents and Settings\All Users\Application Data\ICS\Logs\ICSMessenger.xsl
C:\Documents and Settings\All Users\Application Data\ICS\Logs\MSNusers.usr
C:\Documents and Settings\All Users\Application Data\ICS\Logs\Skypeusers.usr
C:\Documents and Settings\All Users\Application Data\ICS\Logs\Sysbk.bmp
C:\Documents and Settings\All Users\Application Data\ICS\Logs\TestEmail.xml
C:\Documents and Settings\All Users\Application Data\ICS\Logs\Yahoousers.usr

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ICS" = "C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\All Users\Application Data\ICS\ICS.dll" rdl"

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\ICS

The program then records Instant Message chat conversations. The harvested information can then be viewed locally or emailed to an address specified during configuration of the application.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}