Spyware.XPCMonitor

When the program is executed, it creates the following folder:
%UserProfile%\Local Settings\Temp\ImageLogTemp

It then drops the following files:

• %ProgramFiles%\XPCMonitor_206\HookPassword.dll
• %ProgramFiles%\XPCMonitor_206\ImageData.xpc
• %ProgramFiles%\XPCMonitor_206\KeyData.xpc
• %ProgramFiles%\XPCMonitor_206\libeay32.dll
• %ProgramFiles%\XPCMonitor_206\license_en.txt
• %ProgramFiles%\XPCMonitor_206\MediaLog.dll
• %ProgramFiles%\XPCMonitor_206\ProfileVerify.dll
• %ProgramFiles%\XPCMonitor_206\ssleay32.dll
• %ProgramFiles%\XPCMonitor_206\tips.txt
• %ProgramFiles%\XPCMonitor_206\TransForm.dll
• %ProgramFiles%\XPCMonitor_206\Uninstall.exe
• %ProgramFiles%\XPCMonitor_206\WebData.xpc
• %ProgramFiles%\XPCMonitor_206\welcome.txt
• %ProgramFiles%\XPCMonitor_206\XPCMonitor.exe
• %ProgramFiles%\XPCMonitor_206\XPCMonitorConfig.ini
• %ProgramFiles%\XPCMonitor_206\XPCMonitorHlp.chm
• %ProgramFiles%\XPCMonitor_206\XPCMonitorKeyCfg.ini
• %ProgramFiles%\XPCMonitor_206\XPCMonitorUsrCfg.ini
• %System%\HookText.dll
• %System%\WebHook.dll

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"XPCMonitor" = "C:\Program Files\XPCMonitor_206\XPCMonitor.exe"

It also creates the following registry subkeys:

• HKEY_CURRENT_USER\Software\XPCMonitor
• HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
• HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
• HKEY_LOCAL_MACHINE\SOFTWARE\XPCMonitor_206

The program may then perform following actions on the computer:

• Record keystrokes
• Record visited Web sites
• Record chat sessions
• Record launched applications
• Take screen shots at regular intervals
• Run completely in stealth mode

The program may then send the created logs of information to a predefined email address.

It may also use FTP to send the gathered information to a remote location.

Summary