1. /
  2. Security Response/
  3. Spyware.Apropos

Spyware.Apropos

Updated:
February 13, 2007 11:41:02 AM
Type:
Spyware
Publisher:
peopleonpage
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.Apropos runs, it does the following:

  1. May create some of the following files:

    • %Windir%\Downloaded Program Files\aprload.bin
    • %Windir%\Downloaded Program Files\load.exe
    • %Windir%\Downloaded Program Files\monpop.exe
    • %Windir%\Downloaded Program Files\pop225.dll
    • %Windir%\Downloaded Program Files\pophook4.dll
    • %Windir%\Downloaded Program Files\PopSrv225.exe
    • %Temp%\install_ct.exe
    • %Temp%\auto_update_loader.exe
    • %Temp%\CXtPls.exe
    • %Temp%\ProxyStub.dll
    • %Temp%\WinGenerics.dll
    • %Temp%\ace.dll
    • %Temp%\atla.dll
    • %Temp%\atlw.dll
    • %Temp%\data.bin
    • %Temp%\libexpat.dll
    • %Temp%\ph.exe
    • %Temp%\pm.exe
    • %Temp%\setup.inf
    • %Temp%\uninstaller.exe
    • %Temp%\atl.dll
    • %System%\atmon.exe
    • %System%\intfaxui.exe

      Note:
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
      • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
      • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. May add the following values:

    "AutoLoaderAproposClient" = "C:\WINDOWS\Downloaded Program Files\aprload.exe /ShowLegalNote /PC="POP.POP"
    "POP" = "C:\WINDOWS\Downloaded Program Files\PopSrv225.exe
    "
    "AutoLoaderEnvoloAutoUpdater" = "auto_update_loader.exe"
    "[random name]" = "intfaxui.exe"


    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that Spyware.Apropos runs every time Windows starts.

  3. Adds the value:

    "[random name]" = "atmon.exe"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that Spyware.Apropos.B runs every time Windows starts.

  4. May create some of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
    HKEY_CLASSES_ROOT\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
    HKEY_CLASSES_ROOT\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
    HKEY_CLASSES_ROOT\CLSID\{5EB250D7-2F0D-2C7A-0DC0-8A508FE8F3C}\{6B16BB4F-0B38-8762-1D21-878D02D8C66}
    HKEY_CLASSES_ROOT\CLSID\{5EB250D7-2F0D-2C7A-0DC0-8A508FE8F3C}\{7096C141-D32A-7EA3-B355-B2410136DDE}
    HKEY_CLASSES_ROOT\CLSID\{5967BAE1-2AB3-00FC-21E8-57362EAE900}\{758A7D6C-1952-3347-39E5-45F8F2D6433}
    HKEY_CLASSES_ROOT\CLSID\{645FD3BC-C314-4F7A-9D2E-64D62A0FDD78}
    HKEY_CLASSES_ROOT\CLSID\{65C8C1F5-230E-4DC9-9A0D-F3159A5E7778}
    HKEY_CLASSES_ROOT\CLSID\{8023A3E7-AB95-4C23-8313-0BE9842CC70E}
    HKEY_CLASSES_ROOT\CLSID\{976C4E11-B9C5-4B2B-97EF-F7D06BA4242F}
    HKEY_CLASSES_ROOT\CLSID\{D5580D6F-0E5F-4BDB-9CDF-F8EE68BEB008}
    HKEY_CLASSES_ROOT\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
    HKEY_CLASSES_ROOT\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
    HKEY_CLASSES_ROOT\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
    HKEY_CLASSES_ROOT\POP.Server.1
    HKEY_CLASSES_ROOT\POP.Server
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8023A3E7-AB95-4C23-8313-0BE9842CC70E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Apropos
    HKEY_CURRENT_USER\Software\POP
    HKEY_LOCAL_MACHINE\Software\AutoLoader
    HKEY_LOCAL_MACHINE\SOFTWARE\Envolo
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{D5580D6F-0E5F-4BDB-9CDF-F8EE68BEB008}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{645FD3BC-C314-4F7A-9D2E-64D62A0FDD78}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\POP

  5. May go into an infinite loop of reading values from:

    HKEY_CLASSES_ROOT\CLSID\{5967BAE1-2AB3-00FC-21E8-57362EAE900}

    causing 100% CPU usage.

  6. Downloads and displays advertisements.

  7. Monitors browser activity and periodically contacts a remote server for instructions. Depending on the reply, it may:
    • Download and execute a program
    • Reconfigure itself to contact a different remote server
    • Adjust the interval between updates (the default interval is 12 hours)
    • Send information to the remote server


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver