Updated: July 23, 2007 10:25:18 AM
Type: Spyware
Name: Yahoo! Messenger Spy Monitor
Version: 6.4.3
Publisher: eMatrixSoft
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
When the program is executed, it creates the following folder:
%ProgramFiles%\YIMCS\logs
Next, the program drops the following files:
- %UserProfile%\Local Settings\Temp\DRDld\yimspymonitor.exe
- %CommonProgramFiles%\Download Manager\Yahoo! Messenger Spy Monitor\LMDOWNLOADINFO.xml
- %ProgramFiles%\YIMCS\data\dpnsvry.exe
- %ProgramFiles%\YIMCS\data\emxfile003.dat
- %ProgramFiles%\YIMCS\data\ps_demo_report.html
- %ProgramFiles%\YIMCS\data\testftpok.html
- %ProgramFiles%\YIMCS\data\vssvcy.exe
- %ProgramFiles%\YIMCS\data\yimusr.ini
- %ProgramFiles%\YIMCS\help.chm
- %ProgramFiles%\YIMCS\License.txt
- %ProgramFiles%\YIMCS\readme.txt
- %ProgramFiles%\YIMCS\unins000.dat
- %ProgramFiles%\YIMCS\unins000.exe
- %ProgramFiles%\YIMCS\winyim.exe
- %System%\adsnwy.exe
- %System%\mxpvct22.dat
- %System%\mxpvct25.dat
- %System%\yimappini.ini
The program then creates the following registry subkeys:
HKEY_ALL_USERS\Software\Digital River
HKEY_ALL_USERS\Software\Digital River\SoftwarePassport\Download Manager\6FFCFD13AF7A92143F5AD29D6134E432
HKEY_ALL_USERS\Software\Digital River\SoftwarePassport\eMatrixSoft\Yahoo! Messenger Spy Monitor
HKEY_CLASSES_ROOT\CLSID\{A4643A87-99A0-4404-9BC5-2322BDD61637}
HKEY_CLASSES_ROOT\CLSID\{A46E5261-9956-4767-88CA-DFCED050D09E}
HKEY_CLASSES_ROOT\CLSID\{A7EC2CD3-9941-4FD4-9D01-105DC16A4313}
HKEY_CLASSES_ROOT\Chilkat.Email2
HKEY_CLASSES_ROOT\Chilkat.EmailBundle2
HKEY_CLASSES_ROOT\Chilkat.MailMan2
HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatEmail2
HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatEmailBundle2
HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatMailMan2
HKEY_CLASSES_ROOT\Interface\{06544919-F559-4AE5-9001-F903BD8A84E6}
HKEY_CLASSES_ROOT\Interface\{4340DF8E-D7A3-4675-BE74-80077B2B3E81}
HKEY_CLASSES_ROOT\Interface\{51A0888C-9970-44DE-8C2C-835BA870D06F}
HKEY_CLASSES_ROOT\Interface\{5ACAE4B8-62D9-4124-A58A-9B1258B77E99}
HKEY_CLASSES_ROOT\Interface\{7D37DED8-1945-4E42-A3FD-B9620E0AD8E3}
HKEY_CLASSES_ROOT\Interface\{C4C23B78-DB98-444C-B601-DCAC6EBBEC54}
HKEY_CLASSES_ROOT\Interface\{CCB7FB40-99EC-4678-9202-52798DA78ABA}
HKEY_CLASSES_ROOT\Interface\{D12FB216-99DA-4EB3-9CC0-C0F760B174A0}
HKEY_CLASSES_ROOT\Interface\{D56C1AF1-3FDE-471C-9BC2-C52515F260C1}
HKEY_CLASSES_ROOT\Interface\{E656B867-992C-4462-A27D-EBE604EC3A48}
HKEY_CLASSES_ROOT\TypeLib\{1DF3AFED-99E0-4474-9900-954B8FD24E86}
It also creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"adsnwy" = "%System%\adsnwy.exe"
The program then records Yahoo! Instant Messenger information on the computer and saves it to a log file.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
