||||
Symantec.com > Security Response > Threats and Risks > Spyware.EmployeeWatch
PRINT THIS PAGE

Spyware.EmployeeWatch

Printer Friendly Page

Updated: February 13, 2007 11:43:32 AM
Type: Spyware
Version: 8.63
Publisher: www.matewatcher.com
Risk Impact: High
File Names: svchost.exe csrss.exe smss.exe
Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


The following are features of Spyware.EmployeeWatch:

  • Logs keystrokes and programs executed
  • Captures screenshots
  • Record both sides of Yahoo, AIM, and ICQ instant messenger conversations.


When Spyware.EmployeeWatch runs, it performs the following actions:
  1. Creates the following files:

    • %SystemDrive%\windowsupdate\ufp\ew7\csrss.ex (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ew7\initializer.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ew7\smss.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ew7\svchost.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ew7\uninstall.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\ew7\Uninstall.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\ew7\uninstall-ew7.dat
    • %SystemDrive%\windowsupdate\ufp\ew7\[USER NAME]\[USER NAME].dll
    • %SystemDrive%\windowsupdate\ufp\ew7\[USER NAME].usr
    • %Windir%\Employee Watcher 8.63 Uninstaller.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\kl7\csrss.ex (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kl7\initializer.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kl7\smss.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kl7\svchost.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kl7\uninstall.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\kl7\uninstall-kl7.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\kl7\Uninstall.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\kl7\uninstall-kl7.dat
    • %SystemDrive%\windowsupdate\ufp\kl7\[USER NAME]\[USER NAME].dll
    • %SystemDrive%\windowsupdate\ufp\kl7\[USER NAME].usr
    • %Windir%\Generic Installer Uninstaller.exe
    • %SystemDrive%\windowsupdate\ufp\ss47\csrss.ex (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ss47\initializer.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ss47\smss.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ss47\svchost.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\ss47\uninstall.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\ss47\Uninstall.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\ss47\uninstall-ss47.dat
    • %SystemDrive%\windowsupdate\ufp\ss47\[USER NAME]\[USER NAME].dll
    • %SystemDrive%\windowsupdate\ufp\ss47\[USER NAME].usr
    • %Windir%\Generic Installer Uninstaller.exe
    • %SystemDrive%\windowsupdate\ufp\imm70\csrss.ex (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\imm70\initializer.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\imm70\smss.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\imm70\svchost.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\imm70\uninstall.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\imm70\Uninstall.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\imm70\uninstall-imm70.dat
    • %SystemDrive%\windowsupdate\ufp\imm70\[USER NAME]\[USER NAME].dll
    • %SystemDrive%\windowsupdate\ufp\imm70\[USER NAME].usr
    • %Windir%\Generic Install Uninstaller.exe
    • %SystemDrive%\windowsupdate\ufp\008\csrss.ex (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\008\initializer.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\008\smss.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\008\svchost.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\008\uninstall.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\008\Uninstall.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\008\uninstall-008.dat
    • %SystemDrive%\windowsupdate\ufp\008\[USER NAME]\[USER NAME].dll
    • %SystemDrive%\windowsupdate\ufp\008\[USER NAME].usr
    • %Windir%\008 KLRemote Uninstaller.exe
    • %SystemDrive%\windowsupdate\ufp\kw7\csrss.ex (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kw7\initializer.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kw7\smss.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kw7\svchost.exe (Detected as Spyware.EmployeeWatch.)
    • %SystemDrive%\windowsupdate\ufp\kw7\uninstall.dat (Uninstaller data.)
    • %SystemDrive%\windowsupdate\ufp\kw7\Uninstall.exe (An uninstaller for the program.)
    • %SystemDrive%\windowsupdate\ufp\kw7\uninstall-kw7.dat
    • %SystemDrive%\windowsupdate\ufp\kw7\[USER NAME]\[USER NAME].dll
    • %SystemDrive%\windowsupdate\ufp\kw7\[USER NAME].usr
    • %Windir%\Generic Installer Uninstaller.exe
    • %SystemDrive%\windowsupdate\008.dat
    • %SystemDrive%\windowsupdate\ew7.dat
    • %SystemDrive%\windowsupdate\imm70.dat
    • %SystemDrive%\windowsupdate\kl7.dat
    • %SystemDrive%\windowsupdate\kw7.dat
    • %SystemDrive%\windowsupdate\ss47.dat


      Notes:
    • SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Creates the following legitimate files, if they are not already present on the computer:

    • %System%\ANSMTP.dll (A dll used for mail functionality.)
    • %System%\CapScrn.ocx (A screen capture utility from AXSoft.)
    • %System%\Dwshk36.ocx (A Desaware Spyworks Hook Control component.)
    • %System%\DWSPY36.DLL (A Desaware Spyworks Hook Control component.)
    • %System%\Msinet.ocx (An ActiveX component from Microsoft.)
    • %System%\PINGX.DLL (A dll to test connections on the network.)
    • %System%\Pingx.ocx (An ActiveX component to test connections on the network.)
    • %System%\Richtx32.ocx (An ActiveX component from Microsoft.)

      Note: These files are legitimate and may be used by other legitimate programs. Therefore they are not detected by Symantec antivirus products.

  3. Adds the values:

    "WinUpdateProtection" = "%SystemDrive%\windowsupdate\ufp\ew7\csrss.ex"
    "WinUpdateProtection" = "%SystemDrive%\windowsupdate\ufp\    kl7\csrss.ex"
    "WinUpdateProtection" = "%SystemDrive%\windowsupdate\ufp\    ss47\csrss.ex"
    "WinUpdateProtection" = "%SystemDrive%\windowsupdate\ufp\    imm70\csrss.ex"
    "WinUpdateProtection" = "%SystemDrive%\windowsupdate\ufp\    008\csrss.ex"
    "WinUpdateProtection" = "%SystemDrive%\windowsupdate\ufp\    kw7\csrss.ex"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the Spyware runs every time Windows starts.

  4. Creates the following registry keys associated with the legitimate files in Step 2:

    HKEY_CLASSES_ROOT\CLSID\{0468C950-83E2-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\CLSID\{22B4C8F5-A686-42CC-8224-E4817445109F}
    HKEY_CLASSES_ROOT\CLSID\{253664FB-EDFC-4AC6-BD69-B322F466AEED}
    HKEY_CLASSES_ROOT\CLSID\{2C704DBB-9C46-11D1-B784-00001C1AD1F8}
    HKEY_CLASSES_ROOT\CLSID\{389B19B9-9A87-11D1-B77F-00001C1AD1F8}
    HKEY_CLASSES_ROOT\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
    HKEY_CLASSES_ROOT\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
    HKEY_CLASSES_ROOT\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
    HKEY_CLASSES_ROOT\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
    HKEY_CLASSES_ROOT\CLSID\{6E29B981-9C50-11D1-B784-00001C1AD1F8}
    HKEY_CLASSES_ROOT\CLSID\{6E29B982-9C50-11D1-B784-00001C1AD1F8}
    HKEY_CLASSES_ROOT\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
    HKEY_CLASSES_ROOT\CLSID\{855C49A7-9C3C-11D1-B784-00001C1AD1F8}
    HKEY_CLASSES_ROOT\CLSID\{8B8BB3A2-8576-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
    HKEY_CLASSES_ROOT\CLSID\{DE5C2449-65D5-4413-BFCF-6BFCDF294665}
    HKEY_CLASSES_ROOT\Interface\{0468C94F-83E2-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\Interface\{0468C951-83E2-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\Interface\{389B19B7-9A87-11D1-B77F-00001C1AD1F8}
    HKEY_CLASSES_ROOT\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
    HKEY_CLASSES_ROOT\Interface\{3E3621C0-8635-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
    HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
    HKEY_CLASSES_ROOT\Interface\{68B8DCDB-EFA4-420A-BB8A-71B9892A2063}
    HKEY_CLASSES_ROOT\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
    HKEY_CLASSES_ROOT\Interface\{8B8BB3A1-8576-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\Interface\{8B8BB3A3-8576-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\Interface\{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
    HKEY_CLASSES_ROOT\Interface\{A834857C-9A90-11D1-B77F-00001C1AD1F8}
    HKEY_CLASSES_ROOT\Interface\{AB14F05E-4C1D-49DC-8BD5-9E6B510B3EBA}
    HKEY_CLASSES_ROOT\Interface\{B78B0E98-0431-4A6B-8C3D-F240FE8725F5}
    HKEY_CLASSES_ROOT\Interface\{D937A3C0-8634-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
    HKEY_CLASSES_ROOT\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
    HKEY_CLASSES_ROOT\Interface\{F7C1A3FA-C511-488A-B583-4F153B9368C4}
    HKEY_CLASSES_ROOT\TypeLib\{0468C933-83E2-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\TypeLib\{0468C941-83E2-11D3-BE51-00C0DFC2E32C}
    HKEY_CLASSES_ROOT\TypeLib\{0A4AFE1D-F664-11D0-B649-00001C1AD1F8}
    HKEY_CLASSES_ROOT\TypeLib\{1FAA49C4-16B7-4D28-8930-31BE1810D943}
    HKEY_CLASSES_ROOT\TypeLib\{389B19AA-9A87-11D1-B77F-00001C1AD1F8}
    HKEY_CLASSES_ROOT\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
    HKEY_CLASSES_ROOT\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
    HKEY_CLASSES_ROOT\TypeLib\{DE6317F7-6EF0-45C2-88D1-8E09415817F1}
    HKEY_CLASSES_ROOT\ANSMTP.OBJ
    HKEY_CLASSES_ROOT\ANSMTP.OBJ.1
    HKEY_CLASSES_ROOT\axsCaptureScrn.axsCapScreen
    HKEY_CLASSES_ROOT\Dwshk36.DwshkPropPage
    HKEY_CLASSES_ROOT\Dwshk36.DwshkPropPage.1
    HKEY_CLASSES_ROOT\dwshk36.HookPage
    HKEY_CLASSES_ROOT\dwshk36.HookPage.1
    HKEY_CLASSES_ROOT\dwshk36.KeyList
    HKEY_CLASSES_ROOT\dwshk36.KeyList.1
    HKEY_CLASSES_ROOT\dwshk36.KeyPage
    HKEY_CLASSES_ROOT\dwshk36.KeyPage.1
    HKEY_CLASSES_ROOT\dwshk36.MsgList
    HKEY_CLASSES_ROOT\dwshk36.MsgList.1
    HKEY_CLASSES_ROOT\dwshk36.RegMsg
    HKEY_CLASSES_ROOT\dwshk36.RegMsg.1
    HKEY_CLASSES_ROOT\dwshk36.WinHook
    HKEY_CLASSES_ROOT\dwshk36.WinHook.6
    HKEY_CLASSES_ROOT\InetCtls.Inet
    HKEY_CLASSES_ROOT\InetCtls.Inet.1
    HKEY_CLASSES_ROOT\Mabry.CPingXPropPage
    HKEY_CLASSES_ROOT\Mabry.CPingXPropPage.1
    HKEY_CLASSES_ROOT\Mabry.PingX
    HKEY_CLASSES_ROOT\Mabry.PingX.1
    HKEY_CLASSES_ROOT\Mabry.PingXCom
    HKEY_CLASSES_ROOT\Mabry.PingXCom.1
    HKEY_CLASSES_ROOT\RICHTEXT.RichtextCtrl
    HKEY_CLASSES_ROOT\RICHTEXT.RichtextCtrl.1

    Note: These registry subkeys may also be used by legitimate programs and should not be deleted.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS