||||
Symantec.com > Security Response > Threats and Risks > Spyware.Winvest
PRINT THIS PAGE

Spyware.Winvest

Printer Friendly Page

Updated: February 13, 2007 11:38:04 AM
Type: Spyware
Version: 2.3
Publisher: Tropical Software
Risk Impact: High
File Names: winvestigator.exe wv.exe sysninit.dll syswvnt.dll syswvh.dll loaddll.exe syswvwin.dll syswv
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.Winvest is installed, it performs the following actions:
  1. Creates the following files:
    • %ProgramFiles%\wv\wvh.dll - Used to display manual.
    • %ProgramFiles%\wv\wvres.dll - Used to display help file.
    • %ProgramFiles%\wv\wv.exe - The main application for configuring and log viewing.
    • %ProgramFiles%\wv\viewer.wv - Text file indicating viewer-only installation.
    • %ProgramFiles%\wv\un.exe - Generic uninstaller.
    • %ProgramFiles%\wv\wvlg - Log file.
    • %ProgramFiles%\wv\FILE_ID.DIZ - Program identification information.
    • %ProgramFiles%\wv\Trop.url - Link to Tropical Software website.
    • %ProgramFiles%\wv\winvestigator.xml - Program identification information.
    • %ProgramFiles%\wv\README.TXT - Documentation.
    • %Windir%\sysninit.dll - Used for logging Internet activity.
    • %Windir%\spoder.dll - The Microsoft Winsock2 reorder service.
    • %Windir%\syswvnt.dll - Used for logging Internet activity.
    • %Windir%\syswvh.dll - Used to start/stop logging.
    • %Windir%\loaddll.exe - Loads correct DLLs to monitor the computer.
    • %Windir%\syswvwin.dll - Used by loaddll.dll.
    • %Windir%\syswvmail.dll - Used to send logs via email.
    • %Windir%\loaddll.dll - Used by loaddll.exe.
    • %Windir%\gerevniw.Dvw
    • C:\Documents and Settings\Administrator\Start Menu\Programs\Winvestigator\Winvestigator.lnk - Start menu link.
    • C:\Documents and Settings\Administrator\Desktop\Winvestigator.lnk - Start menu link.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\Winvestigator\Tropical Software Website.lnk - Start menu link.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\Winvestigator\Readme.lnk - Start menu link.

      Note:
    • %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
    • %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.

  2. Adds the value:

    "loaddll" = "loaddll.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  3. Adds the value:

    "(Default)" = "C:\Program Files\wv\wv.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\wv.exe

  4. Adds the keys:

    HKEY_CLASSES_ROOT\.send
    HKEY_CLASSES_ROOT\wvFile
    HKEY_CURRENT_USER\Software    \tropsoft
    HKEY_LOCAL_MACHINE\Software\tropsoft
    HKEY_LOCAL_MACHINE\Software\Microsoft\wvsys
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Winvestigator


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS