Spyware.PCPandora

When the program is executed, it creates the following folder:
%UserProfile%\Start Menu\Programs\PC Pandora

Next, the program creates the following files:

• %System%\[RANDOM CHARACTERS]\dhcpsub.dat
• %System%\[RANDOM CHARACTERS]\{467E3224-CDDA-B981-DBCD-81B9AECD8BB9}.dat
• %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\InstallOptions.dll
• %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\ioSpecial.ini
• %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\modern-wizard.bmp
• %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\options.ini
• %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\PandoraInstaller.dll
• %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\System.dll
• %Windir%\Help\[RANDOM CHARACTERS].chm
• %System%\[RANDOM CHARACTERS].exe
• %System%\[RANDOM CHARACTERS FILE NAME 1].dll
• %System%\[RANDOM CHARACTERS FILE NAME 2].dll
• %System%\[RANDOM CHARACTERS FILE NAME 3].dll
• %UserProfile%\Start Menu\Programs\PC Pandora\View Recorded Data.lnk

The program then creates the following registry subkeys:

• HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID]
• HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[RANDOM CHARACTERS]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\[RANDOM CHARACTERS]

Note: Where [RANDOM CLSID] may be one of the following:

• 06E75832-877B-4D9C-BD8F-1FF47BC003EC
• 7000220F-869C-220A-EF0C-8B630000E196

The program then records the following information:

• Screenshots
• Programs used
• Web sites visited
• Keystrokes
• IM conversations
• User activity, e.g. logon/logoff times
• Email activity
• File-sharing network activity

The user who installs the program may set a password to access the information, which can be stored locally on the computer.

The information can also be emailed to a remote location.

Summary