||||
Symantec.com > Security Response > Threats and Risks > Spyware.SpyCapture
PRINT THIS PAGE

Spyware.SpyCapture

Printer Friendly Page

Updated: February 13, 2007 11:38:02 AM
Type: Spyware
Version: 1.4.4.0
Publisher: TSM-Soft
Risk Impact: Medium
File Names: MSSCDLL.exe
Systems Affected: Windows 2000, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Spyware.SpyCapture is distributed in Winzip format as the file ISpyCap.Zip.

When the file is unzipped, it creates the following files:

    • %CurrentFolder%\MSSCDLL.exe
    • %CurrentFolder%\Setup.exe
    • %CurrentFolder%\Cvwrt.dll
    • %CurrentFolder%\Readme.txt
    • %CurrentFolder%\Order.txt
    • %CurrentFolder%\Evaluation License.txt
    • %Windir%\system\mscomp32.dll
    • %Windir%\MSSCDLLSYS32.exe
    • %Windir%\system\scd.dat

      Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
When Setup.exe is executed, it performs the following actions:
  1. Creates some of the following files:

    • %Windir%\MSSSDLL.exe
    • %Windir%\COMMAND\Order.txt.
    • %Windir%\cvwrt.dll
    • %Windir%\cmsd.dll
    • %Windir%\Temp\Readme.txt

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Deletes some of the following files:

    • %CurrentFolder%\MSSSDLL.exe
    • %CurrentFolder%\COMMAND\Order.txt.
    • %CurrentFolder%\cvwrt.dll
    • %CurrentFolder%\cmsd.dll
    • %CurrentFolder%\Temp\Readme.txt

  3. Executes MSSCDLL.EXE or MSSCDLLSYS32.exe.

  4. Displays Readme.txt.

  5. Drops the file %System%\mscomp32.dll, which is not an executable file.

  6. Adds one of the following values:


    "MSSCDLL" = "%Windir%\MSSCDLL.exe"
    "MSSCDLLSYS32.exe" = "%Windir%\MSSCDLLSYS32.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs whenever Windows starts up.

  7. Prompts the user to login again. The risk will then run in Hidden mode.

  8. Allows the user to access the "SpyCapture Control Panel" by pressing Ctrl+Alt+Shift+Home. This allows the user to configure many aspects of the risk.

  9. Logs all the keystrokes, as well as the list of all the running application names.

  10. Takes periodic screenshots.

  11. Stores the screen shots and logs keystrokes in the %Windir%\Command\SC\ folder as a file with a .tps extension. These files are encrypted and the folder location is configurable.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS