Spyware.PCAcme.B

There are three versions of Spyware.PCAcme.B:

• Personal
• NET
• PRO
  

All of these versions create the same files and make the same registry changes.

Depending on the version, the spyware can keep logs of the following:

• Keystrokes: Personal, NET, PRO
• Mouse clicks: Personal, NET, PRO
• Program usage: Personal, NET, PRO
• Passwords: Personal, NET, PRO
• URLs: Personal, NET, PRO
• Email: NET, PRO
• Viewing: Personal, NET, PRO
• Analyzing tool usage: PRO

When Spyware.PCAcme.B is installed, it does the following:

1. Allows the person installing it to select the language.
   
   
2. Displays the license agreement.
   
   
3. Allows the choice of installation:
   
   • Full
   • Custom: Allows selection from Spy Agent, Control Center, Log Viewer, Uninstall, and Create shortcuts
     
     
4. Allows the choice of the installation folder. The default installation folder is %ProgramFiles%\PC Acme.
   
   Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
   
   
5. Allows the creation of a password for the spyware.
   
   
6. Creates the following folders and files:
   • %ProgramFiles%\PC Acme\control.exe: The Control Center of the Spyware. Detected as Spyware.PCAcme.B.
   • %ProgramFiles%\PC Acme\pcacme.chm: Help file.
   • %ProgramFiles%\PC Acme\uninst.exe: Uninstaller.
   • %ProgramFiles%\PC Acme\view.exe: The log viewer. Detected as Spyware.PCAcme.B.
   • %ProgramFiles%\PC Acme\instlng: Installation language.
   • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\Control Center.lnk: Start menu link.
   • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\Help.lnk: Start menu link.
   • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\View Log.lnk: Start menu link.
   • C:\Documents and Settings\Administrator\Start Menu\Programs\PC Acme\Uninstall PC Acme components.lnk: Start menu link.
   • C:\WINNT\System32\aastor.dat: Configuration.
   • C:\WINNT\System32\aastor.key: Configuration key.
   • C:\WINNT\System32\<random name>.exe: Main logger. Detected as Spyware.PCAcme.B.
   • C:\WINNT\System32\<random name>.dll: The logger uses this DLL.
   • C:\WINNT\System32\<random name>.cfg: Configuration.
   • C:\WINNT\System32\<random name>.key: Configuration key.
   • C:\WINNT\System32\<random name>.hiv: Log file.
   • Three additional .sys files with randomly generated names.
     
     
7. Adds the value:
   
   "<random name>" = "C:\WINNT\System32\<random name>.exe /setuser"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   so that the Spyware runs when you start Windows.
   
   
8. Adds the subkey:
   
   PC Acme uninstall
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
   
   and then adds these values to that subkey:
   
   "DisplayName" = "PC Acme (uninstall only)"
   "UninstallString" = "%ProgramFiles%\PC Acme\uninst.exe -p"%ProgramFiles%\PC Acme""
   
   
9. Adds a service with the following attributes:
   
   Note: The Spyware adds a service with the display name as another service's Display Name, appended with " service."
   
   For example, if a service with the display name "Security Accounts Manager" exists, the Spyware may add itself with the display name equal to "Security Accounts Manager service."
   
   • Service name: "<random name>"
   • Display name: "<Existing Service Name> service"
   • Path to executable: "C:\WINNT\system32\<random name>.exe"
   • Startup type: "Automatic"

Summary