1. /
  2. Security Response/
  3. Spyware.iiPwrKeySpy

Spyware.iiPwrKeySpy

Updated:
February 13, 2007 11:38:21 AM
Type:
Spyware
Version:
1.0
Publisher:
IIPwr.com
Risk Impact:
High
File Names:
Srcexc.exe,SpyGenerator.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Spyware.iiPwrKeySpy is distributed as the file, IIPWR_install.exe.


When IIPWR_install.exe is executed, it performs the following actions:
  1. Creates the following files in a (selectable) folder.

    The default installation path is %ProgramFiles%\IIPwr Package:
    • SpyGenerator.exe: Detected as Spyware.iiPwrKeySpy.
    • FileDecoder.exe
    • SimpleDNSResolver.dll
    • TopMail.exe: Detected as Spyware.iiPwrKeySpy

      Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is "C:\Program Files\".

  2. Adds the value:

    "(Default)" = "<installation path>\SimpleDNSResolver.dll"

    to the registry keys:

    HKEY_Classes_Root\CLSID\{B91D4568-D492-11D3-8021-0010E3B966CE}\InprocServer32
    HKEY_Classes_Root\TypeLib\{B91D4558-D492-11D3-8021-0010E3B966CE}\1.0\0\win32

When SpyGenerator.exe is executed, it creates the actual keylogger executable. The individual who installed the spyware can select the file name. The default file name is C:\SomethingNice.exe. The spyware will ask the individual to select an email address to which the log files will be sent.

When SomethingNice.exe (the actual keylogger) is executed, it does the following:
  1. Creates the following files:
    • %System%\srvexec.exe, Spyware.iiPwrKeySpy
    • %System%\Inetsxa.dll, Spyware.iiPwrKeySpy
    • %System%\Reshl32.lib

      Notes:
    • %System%\srvexec.exe is the main spyware file, detected as Spyware.iiPwrKeySpy.
    • %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the value:

    "srvexc.exe" = "%System%\srvexc.exe"

    to the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  3. Sends log files to the predefined email address.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver