Spyware.PCAcme

Spyware.PCAcme is intended to run in stealth mode. Installation folders are configurable and file names are random.

When Spyware.PCAcme is installed, it performs the following actions:

1. Prompts you to select the language.
   
   
2. Prompts you with "You are about to install PC Acme. Do you wish to continue?"
   
   
3. If you choose to continue, it displays an End User License Agreement (EULA).
   
   
4. If the EULA is accepted, it requests that you select an access password.
   
   
5. By default, it creates Program Files\PCACME to which it installs the files. This folder is configurable. Two detected files in this folder are Control.exe and View.exe.
   
   
6. Adds files to %System% folder. There are a total of nine files created, but only two have constant names. The file names are:
   • aastor.dat
   • aastor.key
     
     

     ---

     Note: %System% is a variable. The spyware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

     ---

     
     
7. Creates seven files with random file names, such as jqyeipeh. Four of the file names use the same random character name. These are:
   • <filename>.exe
   • <filename>.cfg
   • <filename>.dll
   • <filename>.key
     
     There are also three randomly named .vxd files, which use their own unique strings.
     
     
8. Creates a value that refers to the random file name of <filename.exe> in the registry keys:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
   
   An example of this is:
   
   "jqiyhdsh" = %sysdir%\jqiyhdsh.exe /setuser

This spyware has an uninstall feature, but it requires the access password, which is set when the spyware is installed.

Summary