||||
Symantec.com > Security Response > Threats and Risks > Spyware.AceSpy
PRINT THIS PAGE

Spyware.AceSpy

Printer Friendly Page

Updated: February 13, 2007 11:37:59 AM
Type: Spyware
Version: 2.02.0018
Publisher: Retina-X Studios
Risk Impact: High
File Names: Acespy32.exe,Systune.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Spyware.AceSpy can do the following:
    • Log keystrokes.
    • Log the names of open programs.
    • Take periodic screenshots.
    • Set a list of key words to monitor.
    • Send alerts by email whenever a program or Web page that contains a key word is opened.
    • Automatically close programs or Web pages that contain key words.
    • Send the logged information to a specified email address or FTP server.
    • Allow the person who installed it to access the interface by pressing Ctrl+TRL+Alt+Shift+M, and then entering a password. The default password is 123456.

When Spyware.AceSpy runs, it performs the following actions:

  1. Creates these folders:
    • %System%\Acespy
    • %System%\Acespy\Manual. This folder contains the help/readme manual.

      Note:       %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following files:
    • %System%\acespy\__acelog.ndx: A log file that is not malicious and will therefore not be detected.
    • %System%\acespy\ANSMTP.dll: A valid ActiveX mail server.
    • %System%\acespy\Asycfilt.dll: A valid ActiveX component.
    • %System%\acespy\Comcat.dll: A valid Windows dll.
    • %System%\acespy\Comdlg32.ocx: A valid ActiveX component.
    • %System%\acespy\ijl11.dll: A valid JPEG conversion dll.
    • %System%\acespy\KTKbdHk.dll: A valid keyboard hooking dll.
    • %System%\acespy\Makecab.exe: A valid archive application.
    • %System%\acespy\Mscomct2.ocx: A valid ActiveX component.
    • %System%\acespy\Mscomctl.ocx: A valid ActiveX component.
    • %System%\acespy\Msinet.ocx: A valid ActiveX component.
    • %System%\acespy\Msmapi32.ocx: A valid ActiveX component.
    • %System%\acespy\Mswinsck.ocx: A valid ActiveX component.
    • %System%\acespy\Riched32.dll: A valid Windows dll.
    • %System%\acespy\Richtx32.ocx: A valid ActiveX component.
    • %System%\acespy\Shlwapi.dll: A valid Windows dll.
    • %System%\acespy\Sysinfo.ocx: A valid ActiveX component.
    • %System%\acespy\systune.exe: The spyware component.
    • %System%\acespy\Tabctl32.ocx: A valid ActiveX component.
    • %System%\acespy\Wininet.dll: A valid Windows dll.
    • %System%\acespy\keylog<current_date>.log: A key log file. This is not malicious, and therefore, will not be detected.
    • %System%\acespy\file<current_date_and_time>.jpg: A screenshot. This is not malicious, and therefore, will not be detected.
    • %System%\ace16win.dll: A log file that is not malicious, and therefore, will not be detected.

  3. Adds the value:

    "regsvc"="%System%\acespy\systune"

    to the registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  4. Adds the value:

    "systune"="%System%\acespy\systune.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  5. Adds the following values to the registry:
      HKEY_CLASSES_ROOT\CLSID\{20C62CAB-15DA-101B-B9A8-444553540000}\InprocServer32\(Default) = "%System%\acespy\MSMAPI32.OCX"
      HKEY_CLASSES_ROOT\CLSID\{20C62CAB-15DA-101B-B9A8-444553540000}\ToolboxBitmap32\(Default) = "%System%\acespy\MSMAPI32.OCX, 1000"
      HKEY_CLASSES_ROOT\TypeLib\{20C62CAB-15DA-101B-B9A8-444553540000}\1.1\0\win32\(Default) = "%System%\acespy\MSMAPI32.OCX"
      HKEY_CLASSES_ROOT\CLSID\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\InprocServer32\(Default) = "%System%\acespy\SYSINFO.OCX"
      HKEY_CLASSES_ROOT\CLSID\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\ToolboxBitmap32\(Default) = "%System%\acespy\SYSINFO.OCX, 5"
      HKEY_CLASSES_ROOT\TypeLib\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\1.1\0\win32\(Default) = "%System%\acespy\SYSINFO.OCX"
      HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\(Default) = "%System%\acespy\MSINIET.OCX, 1"
      HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32\(Default) = "%System%\acespy\RICHTX32.OCX"
      HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\1.2\ToolboxBitmap32\(Default) = "%System%\acespy\RICHTX32.OCX, 1"
      HKEY_CLASSES_ROOT\TypeLib\{3B7C8860-D78F-101B-B9B5-04021C009402}\1.2\0\win32\(Default) = "%System%\acespy\RICHTX32.OCX"
      HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}\InprocServer32\(Default) = "%System%\acespy\RICHTX32.OCX"
      HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}\InprocServer32\(Default) = "%System%\acespy\RICHTX32.OCX"
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\systune\Options\Counter = "1"


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS