Spyware.XpcSpy

Printer Friendly Page

Updated: February 13, 2007 11:38:09 AM

Type: Spyware

Version: 2.25

Publisher: X Software Inc

Risk Impact: Low

File Names: XPCSpyPro.exe,AppSpy.dll,IESpy.dll,KeySpy.dll,SysDll32.dll,Rx.exe,Systemout.exe,AppMon.dll,IEMon.dll

Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows XP

Spyware.XpcSpy can do the following:

Log keystrokes
List all running programs
Log instant messenger conversations
Take periodic screen shots
Send the log files by email or FTP

When Spyware.XpcSpy is executed, it performs the following actions:

May create one or more of the following files:
- %ProgramFiles%\XSoftware\XPCSpyPro\XPCSpyPro.exe
- %ProgramFiles%\XSoftware\Working\XPCSpyPro.exe - This is the main spyware file.
- %ProgramFiles%\XSoftware\XPCSpyPro\AppSpy.dll
- %ProgramFiles%\XSoftware\XPCSpyPro\IESpy.dll
- %ProgramFiles%\XSoftware\XPCSpyPro\KeySpy.dll
- %ProgramFiles%\XSoftware\Working\AppMon.dll
- %ProgramFiles%\XSoftware\Working\IEMon.dll
- %ProgramFiles%\XSoftware\Working\KeyMon.dll
- %ProgramFiles%\XSoftware\Working\StartPrograms\HomePage.lnk
- %ProgramFiles%\XSoftware\Working\StartPrograms\Readme.lnk
- %ProgramFiles%\XSoftware\Working\StartPrograms\Run Me.lnk
- %ProgramFiles%\XSoftware\Working\StartPrograms\Uninstall Me.lnk
- %ProgramFiles%\XSoftware\Working\StartPrograms\User Manual.lnk
- %ProgramFiles%\XSoftware\Working\StartPrograms
- %ProgramFiles%\XSoftware\Working\AppHot.sup
- %ProgramFiles%\XSoftware\Working\bk.bmp
- %ProgramFiles%\XSoftware\Working\file_id.diz
- %ProgramFiles%\XSoftware\Working\IeHot.sup
- %ProgramFiles%\XSoftware\Working\license.txt
- %ProgramFiles%\XSoftware\Working\Manual.chm
- %ProgramFiles%\XSoftware\Working\Readme.txt
- %ProgramFiles%\XSoftware\Working\record.tdb
- %ProgramFiles%\XSoftware\Working\UnistInfo.ini
- %ProgramFiles%\XSoftware\Working\Web.url
- %ProgramFiles%\XSoftware\unins000.dat
- %ProgramFiles%\XSoftware\unins000.exe
- %System%\systemout.exe
- %System%\SysDll32.dll
- %System%\rx.exe
- %System%\wintft.dll
- %System%\drivers\systemin.sys
  
  Notes:
  - %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
  - %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
May create one or more of the following folders:
- %ProgramFiles%\XSoftware
- %ProgramFiles%\XSoftware\Report
- %ProgramFiles%\XSoftware\Screenshots
- %ProgramFiles%\XSoftware\Working
- %ProgramFiles%\XSoftware\Working\tmp
Adds one or more of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA41EE62-B36A-4344-850C-9221073CF6B9} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppMon.TShellExecuteHook HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEMon.IESpy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E3E1DC8E-0CE1-4D96-8D49-E5B2B7B51ADA}
Adds the following value:

"System Check" = "Rundll32.exe SysDll32.dll,SystemCheck"

to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runso that the spyware runs when you start Windows.
Add the following value:

"ImagePath" = "%System%\systemout.exe"

to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SystemOutService

so that the spyware runs as a service when you start Windows.
Logs all keystrokes, instant messenger conversations, and running programs; and takes periodic screen shots. The default log file path is %ProgramFiles%\XSoftware\Report.
Sends out the log files and screen shots through email or FTP.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}