||||
Symantec.com > Security Response > Threats and Risks > Spyware.ACM
PRINT THIS PAGE

Spyware.ACM

Printer Friendly Page

Updated: February 13, 2007 11:43:19 AM
Type: Spyware
Version: 4.0
Publisher: Zemerick Software
Risk Impact: High
File Names: ACMService.exe,zsHook.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP



The following are features of Spyware.ACM:
    • logs keystrokes, urls visited and programs executed
    • sends logs via ftp or e-mail
    • Disables Task Manager to hinder users from viewing the current running applications list.

When Spyware.ACM runs, it performs the following actions:

  1. Creates the following files:

    • %ProgramFiles%\ACM\ACMConfig.exe: Configures the program
    • %ProgramFiles%\ACM\ACMDLL.dll Helper file for ACMService.exe
    • %ProgramFiles%\ACM\ACMService.exe Main component of the program
    • %ProgramFiles%\ACM\polarcrypto.dll Encrypts/Decrypts data
    • %ProgramFiles%\ACM\PolarZIPLight.dll Zip/unZip library
    • %ProgramFiles%\ACM\zsHook.dll Keylogger
    • %ProgramFiles%\ACM\unins000.exe: Uninstaller for the program
    • %System%\ccrpTmr6.dll: Timer library
    • %UserProfile%\Start Menu\Programs\ACM\*.lnk
    • ACM\start.ico
    • ACM\stop.ico
    • ACM\ACM Quick Start Guide.pdf

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
      Note: %ProgramFiles%\ACM is the default installation folder. This is configurable by the user.

  2. The Spyware will also create the following legitimate files if they are not present on the system

    • %System%\comdlg32.exe
    • %System%\msinet.ocx
    • %System%\MSWINSCK.OCX
    • %System%\RICHTX32.OCX
    • %System%\TABCTL32.OCX

  3. Creates a service with the following attributes:

    • Service name: "ACMService"
    • Display name: "ACMService"
    • Path to executable: "<path to ACMService.exe>"
    • Startup type: "Automatic"


  4. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Classes\ACMDLL.ServiceEntry
    HKEY_LOCAL_MACHINE\Software\Classes\Applications\Winrar.exe
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ACMService
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACMService
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ccrpCountdown
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ccrpStopWatch
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ccrpTimer
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ccrpTimerStats
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ICcrpCountdownNotify
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ICcrpCountdownNotifyEx
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ICcrpTimerNotify
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ccrpTimers6.ICcrpTimerNotifyEx
    HKEY_CLASSES_ROOT\CLSID\{0C69356E-1275-4df8-9A67-6C0A6CAAFAC8}
    HKEY_CLASSES_ROOT\CLSID\{1AB22F59-FB66-4A06-BCA9-EA5A6D5785E0}
    HKEY_CLASSES_ROOT\CLSID\{1CCF94E6-BA0C-4218-9280-D6339663DCF3}
    HKEY_CLASSES_ROOT\CLSID\{2E675021-9B3B-49ca-A8D5-D1829F999808}
    HKEY_CLASSES_ROOT\CLSID\{98D28F39-6B87-4424-846D-A18E35C8CE1A}
    HKEY_CLASSES_ROOT\CLSID\{BBDA50F9-4374-4697-B004-943D3CDA4A6A}
    HKEY_CLASSES_ROOT\Interface\{00B2A602-482B-4E39-AF3E-731A11763FF2}
    HKEY_CLASSES_ROOT\Interface\{2AF0C41D-44BA-4DBC-83FF-EFFA10350B7E}
    HKEY_CLASSES_ROOT\Interface\{376F3B90-6939-47DE-82C0-A92F36290A60}
    HKEY_CLASSES_ROOT\Interface\{48D03FF6-6D19-4415-852E-C0B506239979}
    HKEY_CLASSES_ROOT\Interface\{4A50CE9D-456F-4C97-9872-F569816ED5BD}
    HKEY_CLASSES_ROOT\Interface\{629D9912-49EC-4623-BC26-49EC151E94F2}
    HKEY_CLASSES_ROOT\Interface\{64A53AE7-D599-45FC-A87E-0C403E61F3B3}
    HKEY_CLASSES_ROOT\Interface\{66A6A2F6-5598-44D6-824E-CE8967617983}
    HKEY_CLASSES_ROOT\Interface\{6D63DD88-6B66-4F03-AF75-48CAE256547B}
    HKEY_CLASSES_ROOT\Interface\{871E1DCF-F823-4D33-B7E5-DE6A67F8571B}
    HKEY_CLASSES_ROOT\Interface\{A3218B31-BDA4-431F-B41A-82FA6AF432C9}
    HKEY_CLASSES_ROOT\Interface\{C3034EB9-9CE5-46AC-9A4B-C3C15C81F163}
    HKEY_CLASSES_ROOT\TypeLib\{19CD2397-D366-425F-AE02-07CFF09AA02D}
    HKEY_CLASSES_ROOT\TypeLib\{7560BF71-2AC0-4792-8B39-E4BF8F82DFFC}
    HKEY_CLASSES_ROOT\TypeLib\{9CCD14D6-ABE0-44BF-8F04-29E59D2CEA5E}
    HKEY_CLASSES_ROOT\TypeLib\{B48EF08A-D99C-4AB3-B873-968B2F4653EC}
    HKEY_CLASSES_ROOT\ACMDLL.ServiceEntry
    HKEY_CLASSES_ROOT\PDSSmtpLib.Smtp
    HKEY_CLASSES_ROOT\PolarZIPLight.ZIPLight
    HKEY_CLASSES_ROOT\PolarZIPLight.ZIPLight.5
    HKEY_CLASSES_ROOT\Crypto.Crypto
    HKEY_CLASSES_ROOT\Crypto.Crypto.2.5
    HKEY_CLASSES_ROOT\Crypto.CryptoData
    HKEY_CLASSES_ROOT\Crypto.CryptoData.2.5
    HKEY_CLASSES_ROOT\Crypto.CryptoSfdProperties
    HKEY_CLASSES_ROOT\Crypto.CryptoSfdProperties.2.5


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS