Updated: May 10, 2006 3:08:32 PM
Type: Spyware
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Spyware.ChatWatch is a spyware program that can record online chat conversations.
The risk may arrive as the file cw3setup.exe.
Once executed, it creates the following files:
cw.exe
ccrpTmr6.dll
PolarZIPLight.dll
Richtx32.ocx
smtp.ocx
unins00.exe
unins00.dat
The installation Path and Hot-key combinations are configurable. The defaults are:
The default installation path is "%ProgramFiles%\CW3\"
The default hotkey is "CTRL+F6"
The risk creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"cwatch" = "[INSTALLATION PATH]\cw.exe"
The risk creates the following registry subkeys:
HKEY_Classes_Root\CLSID\{1AB22F59-FB66-4A06-BCA9-EA5A6D5785E0}\InprocServer32\ HKEY_Classes_Root\CLSID\{1AB22F59-FB66-4A06-BCA9-EA5A6D5785E0}\ToolboxBitmap32\ HKEY_Classes_Root\TypeLib\{9ccd14d6-abe0-44bf-8f04-29e59d2cda5d}\5.0\HELPDIR\ HKEY_Classes_Root\TypeLib\{42f1591e-830c-11d2-bbde-0055003b26de}\1.0\win32\ HKEY_Classes_Root\CLSID\{42f1591e-830c-11d2-bbde-0055003b26de}\InprocServer32\
The risk performs the following actions:
Logs all instant messenger conversations.
Sends log files via email.
Disables Task Manager to hinder users from viewing the current running applications list.
The risk searches for a window with a title bar containing the words "Task Manager" (for example, "Windows Task Manager") and kills the process.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine