||||
Symantec.com > Security Response > Threats and Risks > Spyware.InTheKnow
PRINT THIS PAGE

Spyware.InTheKnow

Printer Friendly Page

Updated: February 13, 2007 11:37:48 AM
Type: Spyware
Version: 1.1.7
Publisher: www.itksoft.com
Risk Impact: High
File Names: ITK.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.InTheKnow runs, it performs the following actions:
  1. Displays an introductory message.

  2. Gives you the option of registering the product at www.itksoft.com or entering a registration key.

  3. Allows you to type the main password. Typing this password while using any Windows program brings up the user interface.

  4. Gives you the option to determine the interval between taking snapshots.

  5. Gives you the choice of which programs to take snapshots.

  6. Gives you picture management options, including how long files are stored and the maximum storage amount.

  7. Creates these files:
    • %Temp%\WZS2.tmp\SetupITK.exe
    • %Temp%\WZS2.tmp\Hooks32.exe
    • %Temp%\WZS2.tmp\ITKDLL.dll
    • %Temp%\WZS2.tmp\StartUp.exe

      Note:       %Temp% is a variable that refers to the path to the temporary files folder.

      These files are used for installation and are subsequently deleted.

  8. Creates these files:
    • %System%\Brnts6.exe
    • %System%\WnDl.exe
    • %System%\MsW54.exe

      Note:       %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  9. Creates the folder %System%\Balance, which is to used to store keystroke and snapshot data.

  10. Creates the folder, C:\ITKExport, which is to used to store exported reports that the Spyware generates.

  11. Adds the subkey:

    grnx

    to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft

    and adds these values to that subkey:

    "SgjTtVUWBq" = "iA88IFT"

    "Jp-i-cAR" = "1"

    "cQRfpP" = "1"

    "cQRWDCoUo" = "2bfRQ;;bcWoH;;cP.y;;iVFs0DtU;;QCpn;;W-A7;;uLZ2;;FP9Lp;;JWhgkkWA;;1DPpSSDo3PXX;;ANBuDONXORs;;nwrLIMa4v;;XLd2;;B0jkx;;4sSg;;KDhVyVlcs;;6_Sl;;b7eRV;;cwTTrn;;kft26UED;;So5xyI1L,d;;-.w2;;4ChF;;Kg1hy;;ZMeuufxTk;;v.HHWtuq;;g3N3q-BX;;prstq;;VT-L67;;unKO0a;;4ldp."

    "DwQ1pjlEuPfq" = "7"

    "Djm1pjlEuPfq" = "2"

    "DwQ4mCrpjn" = "7"

    "Djm4mCrpjn" = "2"

    "QkfCEClXd5Q" = "D:\sM26t\ukGIQs1f\Yn-p3qt"


    Note:     Some of the registry values depend on settings that were made during the installation, and may be different from what is shown above.

  12. Adds the value:

    "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft

  13. Adds the value:

    "DPpSSSlU4BksP" = "1"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\grnx

  14. Adds the value:

    "Brnts6.exe" = "%System%\Brnts6.exe"

    to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  15. Deletes the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS