Updated: February 13, 2007 11:43:51 AM
Type: Spyware
Version: 3.2
Publisher: PAL Solutions
Risk Impact: High
File Names:
Setup_CSS_Shareware.exe
explorer.exe
klpf.exe
MkShort.exe
run32dll.exe
svchost.exe
TheHook
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Spyware.ComSurveilSys is installed, it performs the following actions:
- Creates the following files:
- %UserProfile%\Desktop\PAL - CSS.lnk
- %System%\PAL\CSS\atl71.dll
- %System%\PAL\CSS\cpu.exe
- %System%\PAL\CSS\CSS - Shareware License.txt
- %System%\PAL\CSS\explorer.exe
- %System%\PAL\CSS\IEGuard.dll
- %System%\PAL\CSS\ijl15.dll
- %System%\PAL\CSS\klpf.exe
- %System%\PAL\CSS\MFC71.dll
- %System%\PAL\CSS\MkShort.exe
- %System%\PAL\CSS\msvcp71.dll
- %System%\PAL\CSS\msvcr71.dll
- %System%\PAL\CSS\readme!!!.txt
- %System%\PAL\CSS\regsvr32.exe
- %System%\PAL\CSS\run32dll.exe
- %System%\PAL\CSS\svchost.exe
- %System%\PAL\CSS\TheHook.dll
- %System%\PAL\CSS\TheHookXP.dll
- %System%\PAL\CSS\Uninstall.exe
- %System%\PAL\CSS\UNZIP.EXE
- %System%\PAL\CSS\ZIP.EXE
- %System%\PAL\CSS\zip_copyright.txt
- %ProgramFiles%\IE Protector\charp.dll
- %ProgramFiles%\IE Protector\uninstall.exe
Notes:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\TestService.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{2EAF3815-55F5-11D1-B9C5-00C04FBD6229}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B77D30A-81C9-497A-8647-142F7511B1FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{267B1ED2-2C9E-4A3F-BE15-7AFC79403073}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{80CC88FE-2567-42ED-A3AE-E397D2A12C52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2EAF3814-55F5-11D1-B9C5-00C04FBD6229}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5AB0D266-DD2B-4006-B9D6-A9145291BDD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEGuard.IEWebGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEGuard.IEWebGuard.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{1B77D30A-81C9-497A-8647-142F7511B1FB}
HKEY_LOCAL_MACHINE\SOFTWARE\KLP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows LAN Service Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows LAN Service Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\charp.IEWebGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\charp.IEWebGuard.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Uninstall\Charp
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
\{1B77D30A-81C9-497A-8647-142F7511B1FB}
- Adds the value:
"klp" = "%System%\PAL\CSS\explorer.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
- Logs keystrokes, captures screenshots, and monitors Internet activity.
- May email the gathered information to a predetermined email address.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
