Spyware.IMonitorPCPro

When the program is executed, it creates the following files:

• %Temp%\{90ADEE75-32BF-48C6-88CC-CF591B4BF0A9}\setup.ini
• %Temp%\{90ADEE75-32BF-48C6-88CC-CF591B4BF0A9}\_isdel.ini
• %Temp%\{90ADEE75-32BF-48C6-88CC-CF591B4BF0A9}\_ispackdel.ini
• %Temp%\{90ADEE75-32BF-48C6-88CC-CF591B4BF0A9}\_Setup.dll
• C:\Documents and Settings\All Users\Desktop\iMonitorPC.lnk
• C:\Documents and Settings\All Users\Start Menu\Programs\Clarisoft Technologies\iMonitorPC.lnk
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\box.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\box.JPG
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\buy.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\buyNow.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\buyNow_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\buy_full_version.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\cancel.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\Cancel_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\continue_free_trial.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\customerSvc.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\customerSvc_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\enterkey.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\enterkey_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\exit.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\exit_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\iMonitorPC-PRO.jpg
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\iMonitorPC-PRO140x140.jpg
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\money_back_g.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\OK_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\powered_by_dr.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\register.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\register_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\reissueKey.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\reissuekey_sm.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\images\security_lock_text.gif
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\iMonitorPC.exe
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\iMonitorPC.ldb
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\iMonitorPC.mdb
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\iMonitorPCDAL.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\iMonitorPCSvc.exe
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\iMonitorPCSvr.exe
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\libcurl.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\libeay32.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.CRT\msvcm80.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.CRT\msvcp80.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.CRT\msvcr80.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.MFC\mfc80.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.MFC\mfc80u.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.MFC\mfcm80.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.MFC\mfcm80u.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Microsoft.VC80.MFC\Microsoft.VC80.MFC.manifest
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\PacketFilter.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\pictures\000000214320071214160801.jpg
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\skinengine.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\Skins\macos.skin
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\ssleay32.dll
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\urlcategory.dat
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\WinPcap_4_0.exe
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\WM1.ico
• %ProgramFiles%\ClarisoftTechnologies\iMonitorPCPro\zlib1.dll

Next, it creates the following registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\Control
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\MiscStatus
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\MiscStatus\1
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\ProgID
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\ToolboxBitmap32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\TypeLib
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\Verb
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\Verb\0
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61029AF2-FF30-43EC-9012-1F34BA17F0BA}\Version
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9A2532F-C4FE-F6A3-E5C1-D460C9EB03F3}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9A2532F-C4FE-F6A3-E5C1-D460C9EB03F3}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B552E103-0E60-4195-B329-1F697C76C9F7}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B552E103-0E60-4195-B329-1F697C76C9F7}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B552E103-0E60-4195-B329-1F697C76C9F7}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B552E103-0E60-4195-B329-1F697C76C9F7}\TypeLib
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E1FBD1A1-5B34-4CA9-83CF-F410AC68EC45}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E1FBD1A1-5B34-4CA9-83CF-F410AC68EC45}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E1FBD1A1-5B34-4CA9-83CF-F410AC68EC45}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E1FBD1A1-5B34-4CA9-83CF-F410AC68EC45}\TypeLib
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D999C71-8A3A-44F7-B791-8F581D270996}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D999C71-8A3A-44F7-B791-8F581D270996}\1.0
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D999C71-8A3A-44F7-B791-8F581D270996}\1.0\0
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D999C71-8A3A-44F7-B791-8F581D270996}\1.0\0\win32
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D999C71-8A3A-44F7-B791-8F581D270996}\1.0\FLAGS
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D999C71-8A3A-44F7-B791-8F581D270996}\1.0\HELPDIR
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\skinengine.SkinEngineX
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\skinengine.SkinEngineX\Clsid
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CC80AFB2-A537-4336-A83A-2A1515946577}
• HKEY_LOCAL_MACHINE\SOFTWARE\ClarisoftTechnologies
• HKEY_LOCAL_MACHINE\SOFTWARE\ClarisoftTechnologies\iMonitorPC
• HKEY_LOCAL_MACHINE\SOFTWARE\ClarisoftTechnologies\iMonitorPCPro
• HKEY_LOCAL_MACHINE\SOFTWARE\ClarisoftTechnologies\iMonitorPCPro\2.3.5
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iMonitorPCSvc
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iMonitorPCSvc\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iMonitorPCSvc\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iMonitorPCSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iMonitorPCSvc\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iMonitorPCSvc\Enum
• HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Clarisoft Technologies\iMonitorPC.lnk

The program performs the following activites:

• Records keystrokes
• Records conversations
• Captures screen shots

It then sends the gathered information to a remote user through email.

Summary