||||
Symantec.com > Security Response > Threats and Risks > Spyware.EmailSpy
PRINT THIS PAGE

Spyware.EmailSpy

Printer Friendly Page

Updated: February 13, 2007 11:43:27 AM
Type: Spyware
Version: 4.5
Risk Impact: High
File Names: vmsprog.exe; escp.exe; vmsdrv.sys.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.EmailSpy is installed, it performs the following actions:

  1. May drop some or all of the following files:

    • %ProgramFiles%\[Security Risk Folder]\escp.exe
    • %ProgramFiles%\[Security Risk Folder]\help.chm
    • %ProgramFiles%\[Security Risk Folder]\license.rtf
    • %System%\vmsprog.exe
    • %System%\vmsdrv.sys
    • %UserProfile%\Start menu\Programs\Email Spy
    • %UserProfile%\Favorites\Links

      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • [Security Risk Folder] is a variable used to refer to the installation folder for the Security risk. This folder may be named "Email Spy" or "Email Spy Pro", depending on the version of the software installed.

  2. May create the following links:

    • %UserProfile%\All Users\Start Menu\Programs\[Security Risk Folder]\Email Spy Control Panel.lnk
    • %UserProfile%\All Users\Start Menu\Programs\[Security Risk Folder]\Email Spy Help.lnk
    • %UserProfile%\All Users\Start Menu\Programs\[Security Risk Folder]\Email Spy Online.lnk
    • %UserProfile%\All Users\Start Menu\Programs\[Security Risk Folder]\License.lnk
    • %UserProfile%\All Users\Start Menu\Programs\[Security Risk Folder]\Uninstall Email Spy.lnk

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Uninstall\Email Spy
    HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Uninstall\Email Spy Pro
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy\vmsdrv
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy\vmsprog
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmsdrv
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmsprog

  4. Adds the value:

    "TrapPollTimeMilliSecs" = "15000"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\Current Version\Parameters

  5. Creates a service with the following properties:

    Name: vmsdrv
    Display name: vmsdrv
    Path: %System%\system32\vmsdrv.sys
    Description: None

  6. Creates a service with the following properties:

    Name: vmsprog
    Display name: Virtual Manager System
    Path: %System%\system32\vmsprog.exe
    Description: None


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS