||||
Symantec.com > Security Response > Threats and Risks > Spyware.SpyGraphica
PRINT THIS PAGE

Spyware.SpyGraphica

Printer Friendly Page

Updated: February 13, 2007 11:37:56 AM
Type: Spyware
Version: 3.1
Publisher: cablehead software
Risk Impact: High
File Names: SpyGraphica.exe (installer),chm.exe,SpyGraphica.exe (main configuration manager),svchosts.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Spyware.SpyGraphica runs, it can:
  • Log keystrokes and screenshots.
  • Hide and unhide its tray icon.
  • Log transferring via email.

When Spyware.SpyGraphica runs, it does the following:
  1. Displays the installation instructions.

  2. Prompts for the installation folder. The default installation folder is C:\SpyGraphica.

    Note: We have developed the contents in the rest of this document under the assumption that you selected to install the Spyware on the default directory.

  3. Creates the following files:
    C:\SpyGraphica\lCap\chm.exe: Used for registration. Detected as Spyware.SpyGraphica.
    C:\SpyGraphica\lCap\dfr.abc
    C:\SpyGraphica\INSTALL.LOG: Installation information.
    C:\SpyGraphica\ReadMe.txt: Documentation.
    C:\SpyGraphica\SpyGraphica.exe: Main configurations application. Detected as Spyware.SpyGraphica.
    C:\SpyGraphica\SpyGraphica.exe.manifest: Spyware information.
    C:\SpyGraphica\svchosts.exe: Main logging application. Detected as Spyware.SpyGraphica.
    C:\SpyGraphica\UNWISE.EXE: Generic uninstaller.
    C:\Documents and Settings\Administrator\Start Menu\Programs\SpyGraphica\SpyGraphica.lnk: Start menu link.

  4. Creates the following files in %System% directory if they do not already exist:

    Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    Important:     Other applications may use the following files. Microsoft provides many of the files. We advise that you do not erase these files.
    • WISE0001.DLL
    • OCXREG32.EXE
    • PROGRESS.DLL
    • W32INST.DLL
    • OLEAUT32.DLL
    • OLEPRO32.DLL
    • ASYCFILT.DLL
    • STDOLE2.TLB
    • MSVBVM60.DLL
    • REGSVR32.EXE
    • COMCAT.DLL
    • MFC42.DLL
    • MSVCRT40.DLL
    • MSCOMCTL.OCX
    • COMDLG32.OCX
    • VBAR332.DLL
    • RESTART.EXE
    • UNWISE32.EXE
    • GETCPU.DLL
    • MSCOMCTL.OCX
    • SSUBTMR6.DLL
    • SSUBTMR.DLL
    • DWSPY36.DLL
    • DWSHK36.OCX
    • CCRPTMR6.DLL
    • IJL11.DLL
    • GLABCORE.DLL
    • CCRPSLD.OCA
    • CCRPSLD.OCX
    • MSWINSCK.OCX
    • VBALGRID6.OCX
    • XPMENU.OCX
    • MSVCRT.DLL
    • MBPRGBAR.OCX
    • VBALIML6.OCX
    • SCRRUN.DLL

  5. Adds the value:

    "RegHelp" = "C:\SPYGRA~1\svchosts.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  6. Creates the following registry keys/values:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyGraphica Pro 3\DisplayName = "SpyGraphica Pro 3"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyGraphica Pro 3\UninstallString = "C:\SPYGRA~1\UNWISE.EXE C:\SPYGRA~1\INSTALL.LOG"
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\Path = "C:\SPYGRA~1\SpyGraphica.exe"
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\ShowWindow = "1"
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\Arguments = ""
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\WorkingDir = ""
    HKEY_LOCAL_MACHINE\Software\Windows\aAppString = "<string found in application to screen capture>"
    HKEY_LOCAL_MACHINE\Software\Windows\aDesktop = "<option for screen capture style>"
    HKEY_LOCAL_MACHINE\Software\Windows\aline = "<mail setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\ap = "C:\SPYGRA~1\svchosts.exe"
    HKEY_LOCAL_MACHINE\Software\Windows\CapAtBoot = "<option for starting capture at boot time>"
    HKEY_LOCAL_MACHINE\Software\Windows\cDelay = "<screen capture delay in milliseconds>"
    HKEY_LOCAL_MACHINE\Software\Windows\eDesktop = "<option for screen capture style>"
    HKEY_LOCAL_MACHINE\Software\Windows\f1 = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\f2 = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\flo = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Font = "<font of log>"
    HKEY_LOCAL_MACHINE\Software\Windows\fqual = "<capture quality>"
    HKEY_LOCAL_MACHINE\Software\Windows\Frunner = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Home = "C:\SPYGRA~1\svchosts.exe"
    HKEY_LOCAL_MACHINE\Software\Windows\Left = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Left2 = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Lrun = "<last run time>"
    HKEY_LOCAL_MACHINE\Software\Windows\madd = "<mailing address>"
    HKEY_LOCAL_MACHINE\Software\Windows\MD = "<disk options>"
    HKEY_LOCAL_MACHINE\Software\Windows\MDSpace = "<maximum disk space>"
    HKEY_LOCAL_MACHINE\Software\Windows\mEnabled = "<log mailing setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\mfreq = "<mailing frequency>"
    HKEY_LOCAL_MACHINE\Software\Windows\modem = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\msvr = "<mailing server>"
    HKEY_LOCAL_MACHINE\Software\Windows\nframes = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\ram = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\rtards = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Run = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\sApp = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\SavePath = "<path to save logs>"
    HKEY_LOCAL_MACHINE\Software\Windows\sDelay = "<viewing delay in seconds>"
    HKEY_LOCAL_MACHINE\Software\Windows\Stealth = "<stealth options>"
    HKEY_LOCAL_MACHINE\Software\Windows\StopIfMax = "<maximum disk setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\ToolTip = "<warning message>"
    HKEY_LOCAL_MACHINE\Software\Windows\Top = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Top2 = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Xfor = "<encrypted password>"
    HKEY_LOCAL_MACHINE\Software\Windows\zMin = "<miscellaneous setting>"


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS