||||
Symantec.com > Security Response > Threats and Risks > Spyware.ActivMonAgent
PRINT THIS PAGE

Spyware.ActivMonAgent

Printer Friendly Page

Updated: February 13, 2007 11:38:01 AM
Type: Spyware
Version: 3.6
Publisher: Deep Software (www.softactivity.com)
Risk Impact: High
File Names: amagent3.exe,amaware.dll,dconsole.dll,slgr.dll,swkbhkl.dll,swmain.dll,swsys.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


Spyware.ActivMonAgent is a component of a commercial spyware package. A networked computer with administrator privileges can manually or remotely install this component. When this component is installed on a host system, it allows the monitoring system to:
    • Monitor and log key strokes, applications, and any activity on the host system
    • View and terminate any process on the host system
    • View real-time screenshots of the host system
    • Run programs on the host system
    • Log off the user of the host system
    • Shut down the host system
    • Send messages to the host system
    • Open Web sites and documents on the host system

When Spyware.ActivMonAgent is installed, it performs the following actions:
  1. Creates the following files:
    • amaware.dll: A backdoor component.
    • awmsg.dat: A file that includes a disclaimer. This file will not be detected, as it is not malicious.
    • dconsole.dll: A backdoor component.
    • ijl15.dll: A valid JPEG dll.
    • guid.dat: This file will not be detected, as it is not malicious.
    • mfc42.dll: A valid Microsoft dll.
    • msvcrt.dll: A valid Microsoft dll.
    • slgr.dll: A keylogger component.
    • swkbhkl.dll: A process-monitoring component.
    • swmain.dll: A backdoor component.
    • swsys.exe: A backdoor component.
    • unins000.dat: This file will not be detected, as it is not malicious.
    • unins000.exe: The uninstaller. This file will not be detected, as it is not malicious.
    • winam.dat: This file will not be detected, as it is not malicious.

      Note      : These files will be in C:\Program Files\AMSys by default, but the installer may select a different location.

  2. Adds the value:

    "SWClient" = "C:\Program Files\AMSys\swsys.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  3. Adds the value:

    "swsys.exe" = "swsys.exe"

    to the registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList

    to disable Microsoft error reporting for this program.

  4. Adds the following registry subkey:
    "WinL"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE

Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS