||||
Symantec.com > Security Response > Threats and Risks > Spyware.SpyOutside
PRINT THIS PAGE

Spyware.SpyOutside

Printer Friendly Page

Updated: February 13, 2007 11:44:24 AM
Type: Spyware
Version: 1.2
Publisher: www.currentchaos.tk
Risk Impact: High
File Names: spyoutside.exe Sp0.exe
Systems Affected: Windows 2000, Windows 64-bit (AMD64), Windows 64-bit (IA64), Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.SpyOutside is installed, it does the following:

  1. Creates the following files:

    • %ProgramFiles%\SpYOuTSiDe\Config.ini
    • %ProgramFiles%\SpYOuTSiDe\License.txt
    • %ProgramFiles%\SpYOuTSiDe\Pics\<random filename>.jpg
    • %ProgramFiles%\SpYOuTSiDe\RCon.woc
    • %ProgramFiles%\SpYOuTSiDe\ReadMe.txt
    • %ProgramFiles%\SpYOuTSiDe\Remove.exe
    • %ProgramFiles%\SpYOuTSiDe\Sp0.exe
    • %ProgramFiles%\SpYOuTSiDe\Sp0.exe.manifest
    • %ProgramFiles%\SpYOuTSiDe\uninstall.ini

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Adds the value:

    "nwss" = "%ProgramFiles%\SpYOuTSiDe\Sp0.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  3. Creates the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CurrenTChaoS - Sp0 -

    and adds the following values:

    "UninstallString" = ""C:\Program Files\SpYOuTSiDe\\Remove.exe""
    "DisplayName" = "CurrenTChaoS - Sp0 -"
    "DisplayIcon" = "C:\Program Files\SpYOuTSiDe\\Remove.exe"
    "DisplayVersion" = "1.2"
    "HelpLink" = ""
    "HelpTelephone" = ""
    "Publisher" = "CurrenTChaoS"
    "URLInfoAbout" = "    [http://]www.CurrenTChaoS.Tk/[REMOVED]"
    "URLUpdateInfo" = "    [http://]www.CurrenTChaoS.MxHosT.NeT/[REMOVED]/Spyoutside.php"

  4. Can be configured to take screenshots at regular intervals, and saves the screenshots as:

    %ProgramFiles%\SpYOuTSiDe\Pics\[DATE AND TIME].jpg

    Note: [DATE AND TIME] represents the file name based on the date and time the security risk saves the screenshots.

  5. Logs keystrokes in the file RCon.woc.

  6. Releases the keylog and screenshots information through one of the following:

    • Posting to the domain currentchaos.com.
    • Sending the information to a preconfigured email address.
    • Uploading to an FTP server.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS