Spyware.WinGuardian

Printer Friendly Page

Updated: February 13, 2007 11:38:54 AM

Type: Spyware

Version: 3.0

Publisher: Webroot Software, Inc.

Risk Impact: High

File Names: Wg20.exe,Sysctrl.exe,Sys.exe

Systems Affected: Windows 2000, Windows NT, Windows XP

Spyware.WinGuardian is a Windows-monitoring utility that runs stealthily and records all the activities.

This program logs what programs are run, text that is typed into the programs, Web sites visited, and captures screenshots.

When Spyware.WinGuardian is installed and run, it performs the following actions:

Adds the value:

"System"="C:\WINNT\system\sysctrl.exe /a"to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runso that the spyware is run every time that Windows starts.
Adds the following subkey:

HKEY_LOCAL_MACHINE\Software\CPNEand adds several registry values to this subkey.
Creates the following files:
- %SystemDrive%\Windows\System\system.in
- %SystemDrive%\Windows\System\wglogs\system.lg
- %SystemDrive%\Windows\System\wglogs\sc
- %SystemDrive%\Windows\System\aup.in
- %SystemDrive%\Windows\System\img.jpg
- %SystemDrive%\Windows\System\message.in
- %SystemDrive%\Windows\System\keyhook.dll
- %SystemDrive%\Windows\System\sysctrl.exe
- %SystemDrive%\Windows\System\chapinfo.txt
- %SystemDrive%\Windows\System\unchap.drv
- %SystemDrive%\Windows\System\sysfiles.in
- %SystemDrive%\Windows\System\sys.exe
- %SystemDrive%\Windows\System\sys.htm
  
  Note: %SystemDrive% is a variable that refers to the drive on which the Windows installation resides. By default, this is drive C.
Runs stealthily in the background. To view the logs and change settings, you must use hot keys. The default hot keys are Ctrl+Alt+Shift+Y.
Can be set to block specific Web sites.
Send logs to an email address.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}