Spyware.ClientMan

Printer Friendly Page

Updated: February 13, 2007 11:33:51 AM

Type: Spyware

Publisher: Odysseus Marketing, Inc

Risk Impact: High

File Names: Msckin.exe ms[4 RANDOM LETTERS].dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.ClientMan is installed, it performs the following actions:

Creates the file Msckin.exe, and registers it as a process.
Creates the following files and folders:
- %ProgramFiles%\ClientMan\new
- %ProgramFiles%\ClientMan\run
- %System%\ms[4 RANDOM LETTERS].dll
  
  Note:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:

"Client Man" = "Msckin.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runso the spyware runs when Windows starts.
Creates the subkeys:

HKEY_CURRENT_USER\Software\CliMan HKEY_CLASSES_ROOT\CLSID\{5ED50735-B0D9-47C6-9774-02DD8E6FE053} HKEY_CLASSES_ROOT\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB} HKEY_CLASSES_ROOT\CLSID\{CC916B4B-BE44-4026-A19D-8C74BBD23361} HKEY_CLASSES_ROOT\CLSID\{94927A13-4AAA-476A-989D-392456427688}HKEY_CLASSES_ROOT\CLSID\{0982868C-47F0-4EFB-A664-C7B0B1015808}HKEY_CLASSES_ROOT\Interface\{570F481A-1C3B-4DF6-9DBE-FAE17DD008F9} HKEY_CLASSES_ROOT\Interface\{A7370377-E217-4467-8448-9845270CD4A3} HKEY_CLASSES_ROOT\TypeLib\{75FC904C-6E6B-4E9D-9FD3-7A447962DA9B} HKEY_CLASSES_ROOT\TypeLib\{026E4B83-1BF7-41CB-8233-4AF35341BC69} HKEY_CLASSES_ROOT\AppID\urlcli.DLL HKEY_CLASSES_ROOT\AppID\{026E4B83-1BF7-41CB-8233-4AF35341BC69} HKEY_CLASSES_ROOT\Disable.DisableObj HKEY_CLASSES_ROOT\Disable.DisableObj.1 HKEY_CLASSES_ROOT\urlcli.UrlCliObj HKEY_CLASSES_ROOT\urlcli.UrlCliObj.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED50735-B0D9-47C6-9774-02DD8E6FE053} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc916b4b-be44-4026-a19d-8c74bbd23361} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94927A13-4AAA-476A-989D-392456427688} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0982868C-47F0-4EFB-A664-C7B0B1015808} HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats \{0982868C-47F0-4EFB-A664-C7B0B1015808}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{00A0A40C-F432-4C59-BA11-B25D142C7AB7} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \Browser Helper Objects\{00A0A40C-F432-4C59-BA11-B25D142C7AB7}
Runs as a plug-in for Internet Explorer.
May end Web browsing activity and send performance data to remote servers, including visited sites. It can also silently download and install updates.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}