||||
Symantec.com > Security Response > Threats and Risks > Spyware.CMKeyLogger
PRINT THIS PAGE

Spyware.CMKeyLogger

Printer Friendly Page

Updated: February 13, 2007 11:43:21 AM
Type: Spyware
Version: 1.4
Publisher: ReFog Software
Risk Impact: High
File Names: WINLOGON.exe SETUP.exe pl.dll WinSystems.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.CMKeyLogger is installed, it performs the following actions:

  1. Creates the following files:

    • %UserProfile%\Desktop\Captain Mnemo Pro.lnk
    • %UserProfile%\Start Menu\Programs\Captain Mnemo Pro\Captain Mnemo Pro.lnk
    • %UserProfile%\Start Menu\Programs\Captain Mnemo Pro\Help.lnk
    • %UserProfile%\Start Menu\Programs\Captain Mnemo Pro\How To Purchase.lnk
    • %UserProfile%\Start Menu\Programs\Captain Mnemo Pro\License Agreement.lnk
    • %UserProfile%\Start Menu\Programs\Captain Mnemo Pro\Official web site.lnk
    • %UserProfile%\Start Menu\Programs\Captain Mnemo Pro\Uninstall.lnk
    • %ProgramFiles%\Captain Mnemo Pro\Catalan.lng
    • %ProgramFiles%\Captain Mnemo Pro\Danish.lng
    • %ProgramFiles%\Captain Mnemo Pro\Español.lng
    • %ProgramFiles%\Captain Mnemo Pro\Farsi.lng
    • %ProgramFiles%\Captain Mnemo Pro\FILE_ID.DIZ
    • %ProgramFiles%\Captain Mnemo Pro\Help.chm
    • %ProgramFiles%\Captain Mnemo Pro\How To Purchase.url
    • %ProgramFiles%\Captain Mnemo Pro\Lang.txt
    • %ProgramFiles%\Captain Mnemo Pro\LICENSE.TXT
    • %ProgramFiles%\Captain Mnemo Pro\Nederlands.lng
    • %ProgramFiles%\Captain Mnemo Pro\Official web site.url
    • %ProgramFiles%\Captain Mnemo Pro\README.TXT
    • %ProgramFiles%\Captain Mnemo Pro\uninstall.exe
    • %ProgramFiles%\Captain Mnemo Pro\uninstall.ini
    • %ProgramFiles%\Captain Mnemo Pro\Urdu.lng
    • %ProgramFiles%\Captain Mnemo Pro\WINLOGON.exe
    • %System%\pl.dll
    • %System%\WinSystems.exe
    • %System%\WSCpmSet.dll
    • %System%\WSCpmWCl.dll
    • %System%\ci0-cabinet.dll (Legitimate Microsoft Cabinet File API)


      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\keyfile
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Captain Mnemo Pro
    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software\HPRG
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSystem
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSystem
    HKEY_CURRENT_USER\Software\Captain Mnemo Pro

  3. Adds the value:

    "WinSystem" = "%ProgramFiles%\Captain Mnemo Pro\WinSystems.exe /UNINSTALL /SELFDEL /SILENT"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  4. Adds the following values:

    "DependOnService" = "WinSystem"
    "DependOnGroup" = "00"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PlugPlay
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay

  5. Modifies the value:

    "(Default)" =  "regfile"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key
  6. Monitors user activity and logs keystrokes.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS