||||
Symantec.com > Security Response > Threats and Risks > Spyware.Perfect
PRINT THIS PAGE

Spyware.Perfect

Printer Friendly Page

Updated: February 13, 2007 11:34:39 AM
Type: Spyware
Version: 1.6.2.0
Publisher: Blazing Tools Software
Risk Impact: High
File Names: i_pbk147.exe,i_bpk2003.exe,i_pbk_basic.exe,i_bpk_lite.exe,Setup.exe,bpk.exe,bsdhooks.dll,lview.exe,W
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.Perfect installer is executed, it performs the following actions:
  1. Creates the following files in a user configurable installation folder, which is by default %ProgramFiles%\BPK:

    • bpk.exe
    • bpkr.exe
    • bpkun.exe
    • bpkvw.exe
    • bpkhk.dll
    • bpki.dll
    • bpkwb.dll
    • bpk.chm
    • inst.bin
    • license.txt
    • downloads.url
    • order.url
    • install.log


      Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files in a user configurable programs menu folder, which is by default %UserProfile%\Start Menu\Programs\BlazingTools Perfect Keylogger:

    • BlazingTools Perfect Keylogger.lnk
    • Perfect Keylogger Help.lnk
    • Order now!.lnk
    • Uninstall Perfect Keylogger.lnk
    • More useful programs.lnk


      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[USER NAME] (Windows NT/2000/XP).

  3. Creates the following files:

    • %System%\drivers\kbfiltr.sys
    • %UserProfile%\Start Menu\Programs\XP Logon Password Logger\Download more Loggers.lnk
    • %UserProfile%\Start Menu\Programs\XP Logon Password Logger\Readme File.lnk
    • %UserProfile%\Start Menu\Programs\XP Logon Password Logger\Uninstall Password Logger.lnk
    • %UserProfile%\Start Menu\Programs\XP Logon Password Logger\XP Logon Password Logger.lnk
    • %ProgramFiles%\XP PL\downloads.url
    • %ProgramFiles%\XP PL\encoder.exe
    • %ProgramFiles%\XP PL\readme.html
    • %ProgramFiles%\XP PL\uninstall.exe
    • %ProgramFiles%\XP PL\unkbfiltr.inf


      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  4. Saves log files in the following folder:

    %ProgramFiles%\XP PL\logs

  5. Adds the value:

    "bpk" = "[instalation folder]\bpk.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that Spyware.Perfect runs every time Windows starts.

  6. May add the values:

    "DisplayName" = "BlazingTools Perfect Keylogger"
    "UninstallString: "[instalation folder]\bpkun.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Keylogger

  7. Creates and populates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}
    HKEY_CLASSES_ROOT\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}
    HKEY_CLASSES_ROOT\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A}
    HKEY_CLASSES_ROOT\SS.SS
    HKEY_CLASSES_ROOT\SS.SS.1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Password Logger 1.0
    HKEY_LOCAL_MACHINE\SOFTWARE\BPK
    HKEY_LOCAL_MACHINE\SOFTWARE\BT\XP Password Logger
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbfiltr

    to register its bpkwb.dll component as a Browser Helper Object.
  8. Modifies the following registry values:

    "LocationInformationOverride" = "3f,04,3e,04,34,04,3a,04,3b,04,4e,04,47,04,35,04,3d,04,20,00,32,04,20,00,3f,04,
    3e,04,40,04,42,04,20,00,3a,04,3b,04,30,04,32,04,38,04,30,04,42,04,43,04,40,04,4b,04,00,00"
    "DriverDesc" = "21,04,42,04,30,04,3d,04,34,04,30,04,40,04,42,04,3d,04,30,04,4f,04,20,00,28,00,31,00,30,00,31,00,2f,
    00,31,00,30,00,32,00,20,00,3a,04,3b,04,30,04,32,04,38,04,48,04,38,04,29,00,20,00,38,04,3b,04,38,04,20,
    00,3a,04,3b,04,30,04,32,04,38,04,30,04,42,04,43,04,40,04,30,04,20,00,50,00,53,00,2f,00,32,00,20,00,4d,
    00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4e,00,61,00,74,00,75,00,72,00,61,00,6c,00,00,00"

    in the subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\0000

  9. Modifies the value:

    "Keyboard Port" = "05 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00"

    in the subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList
  10. Modifies the value:

    "DisplayName" = "14,04,40,04,30,04,39,04,32,04,35,04,40,04,20,00,69,00,38,00,30,00,34,00,32,00,2d,00,
    3a,04,3b,04,30,04,32,04,38,04,30,04,42,04,43,04,40,04,4b,04,20,00,38,04,20,00,3c,04,4b,04,48,04,38,
    04,20,00,34,04,3b,04,4f,04,20,00,3f,04,3e,04,40,04,42,04,30,04,20,00,50,00,53,00,2f,00,32,00,00,00"

    in the subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt
  11. Modifies the value:

    "DisplayName" = "14,04,40,04,30,04,39,04,32,04,35,04,40,04,20,00,3a,04,3b,04,30,04,41,04,41,04,30,04,20,00,
    3a,04,3b,04,30,04,32,04,38,04,30,04,42,04,43,04,40,04,4b,04,00,00"

    in the subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass
  12. Modifies the following values:

    "Mfg" = "28,00,21,04,42,04,30,04,3d,04,34,04,30,04,40,04,42,04,3d,04,4b,04,35,04,20,00,3a,04,3b,04,30,04,
    32,04,38,04,30,04,42,04,43,04,40,04,4b,04,29,00,00,00"
    "DeviceDesc" = "21,04,42,04,30,04,3d,04,34,04,30,04,40,04,42,04,3d,04,30,04,4f,04,20,00,28,00,31,00,30,00,31,
    00,2f,00,31,00,30,00,32,00,20,00,3a,04,3b,04,30,04,32,04,38,04,48,04,38,04,29,00,20,00,38,04,3b,04,38,04,
    20,00,3a,04,3b,04,30,04,32,04,38,04,30,04,42,04,43,04,40,04,30,04,20,00,50,00,53,00,2f,00,32,00,20,00,4d,
    00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4e,00,61,00,74,00,75,00,72,00,61,00,6c,00,00,00"
    "UpperFilters" = 'kbfiltr'

    in the keyboard device registry subkeys, which are located under the following subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase

    Note: The names of such subkeys vary depending on the hardware of the computer.
  13. It can be configured to run in stealth mode and hide its view in the Task Manager and system tray.

  14. Records the keystrokes on the computer and logs them in a file. It can be configured to periodically send the log files by email.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS