Updated: February 13, 2007 11:44:40 AM
Type: Spyware
Version: 1.1
Publisher: Retina-X Studios
Risk Impact: High
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Spyware.ScreenSpy is executed, it performs the following actions:
- Creates the following folders:
- %UserProfile%\My Documents\CopDad\1.1\Screen Spy Images\[USER SID]
- %Windir%\Installer\{61C9D4F3-DDDC-4C13-A3F6-F77225A6C396}
Note:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- Creates the following files:
- %UserProfile%\Start Menu\Programs\Screen Spy\Screen Spy Uninstall.lnk
- %UserProfile%\Start Menu\Programs\Screen Spy\Screen Spy.lnk
- %System%\ScreenRX\comdlg32.ocx
- %System%\ScreenRX\IJL11.DLL
- %System%\ScreenRX\mscomct2.ocx
- %System%\ScreenRX\MSCOMCTL.OCX
- %System%\ScreenRX\readme.rtf
- %System%\ScreenRX\SYSINFO.OCX
- %System%\ScreenRX\unins000.dat
- %System%\ScreenRX\unins000.exe
- %System%\ScreenRX\win16dll.exe
- %UserProfile%\Desktop\CopDad.lnk
- %SystemDrive%\Documents and settings\All Users\Desktop\CopDad.lnk
- %Windir%\Installer\[FIVE RANDOM CHARACTERS].msi
- %System%\svc_copdadnotify.exe
- %System%\WSpyNotify.dll
- %UserProfile%\Start Menu\Programs\VirtualLTD\CopDad 1.2\CopDad.lnk
- %UserProfile%\Start Menu\Programs\VirtualLTD\CopDad 1.2\Uninstall.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\VirtualLTD\CopDad 1.2\CopDad.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\VirtualLTD\CopDad 1.2\Uninstall.lnk
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\en-Us\VL.CopDad.resources.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\en-Us\VL.Screenspy.GUI.resources.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\fr-Fr\VL.CopDad.resources.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\fr-Fr\VL.Screenspy.GUI.resources.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\msvcr71.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\nd0053-4812.ICO
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\ScreenSpyHelp.chm
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\SVC_CopDad.exe
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\svc_copdad.InstallState
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\SVC_CopDadNotify.exe
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.Controls.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.CopDad.exe
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.CopDad.exe.manifest
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.CopDad.Server.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.Data.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.ScreenSpy.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.Screenspy.GUI.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.ScreenSpy.ScreenCapture.dll
- %ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.UtilityLibrary.dll
Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\Screen Spy Trial_is1
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\win16dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\UserNotificationService.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4C6AADE3-6D03-4869-B1A5-4750E8119187}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44C2335C-D46E-4B26-9992-2F85007D2C0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{8612BB6D-E63F-4F01-A8D0-466E55700A09}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{07D9341D-A478-4E28-AF7C-57BBCBFBD8A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UserNotificationService.UserNotificat.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UserNotificationService.UserNotificatio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
\UpgradeCodes\FEB8A0ADDBEE86A40A842039FBDFFE15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\{61C9D4F3-DDDC-4C13-A3F6-F77225A6C396}
HKEY_LOCAL_MACHINE\SOFTWARE\VirtualLTD\CopDad\10\Virtual Screen Spy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
\CopDad 1.0 Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CopDad 1.0 Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserNotificationService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
\CopDad 1.0 Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CopDad 1.0 Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserNotificationService
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
\3F4D9C16CDDD31C43A6F7F27526A3C69
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products
\3F4D9C16CDDD31C43A6F7F27526A3C69
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes
\FEB8A0ADDBEE86A40A842039FBDFFE15
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\en-Us\VL.CopDad.resources.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\en-Us\VL.Screenspy.GUI.resources.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\fr-Fr\VL.CopDad.resources.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\fr-Fr\VL.Screenspy.GUI.resources.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\SVC_CopDad.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\SVC_CopDadNotify.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.Controls.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.CopDad.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.CopDad.Server.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.Data.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.ScreenSpy.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.Screenspy.GUI.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.ScreenSpy.ScreenCapture.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.UtilityLibrary.dll
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%System%\svc_copdadnotify.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies
\%System%\WSpyNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\en-Us\VL.CopDad.resources.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\en-Us
\VL.Screenspy.GUI.resources.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\fr-Fr
\VL.CopDad.resources.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\fr-Fr
\VL.Screenspy.GUI.resources.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\SVC_CopDad.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\SVC_CopDadNotify.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.Controls.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.CopDad.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.CopDad.Server.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.Data.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy\VL.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.ScreenSpy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.Screenspy.GUI.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.ScreenSpy.ScreenCapture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%ProgramFiles%\VirtualLTD\CopDad\1.2\ScreenSpy
\VL.UtilityLibrary.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%System%\svc_copdadnotify.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies
\%System%\WSpyNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features
\3F4D9C16CDDD31C43A6F7F27526A3C69
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
\3F4D9C16CDDD31C43A6F7F27526A3C69
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes
\FEB8A0ADDBEE86A40A842039FBDFFE15
- Adds the values:
"win16.dll" = "%System%\ScreenRX\win16dll.exe"
"srv32win" = "%System%\ScreenRX\win16dll.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
- Adds the value:
"DLLName" = "WSpyNotify.dll"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\Notify\CopDad
so that it runs every time Windows starts.
- Modifies the value:
"[Default]" = "%System%\ScreenRX\[FILE NAME]"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{2C247F23-8591-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{35053A22-8589-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{35053A22-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{C27CCE32-8596-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{F08DF954-8592-11D1-B16A-00C0F0283628}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{6FBA474E-43AC-11CE-9A0E-00AA0062BB4C}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
- Modifies the values:
"%System%\svc_copdadnotify.exe" = "1"
"%System%\WSpyNotify.dll" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
- Runs silently and takes periodic screenshots.
- Allows the following to be configured through a user interface:
- Time interval used to take screenshots
- Users to be monitored
- A password to access the user interface.
- Saves the screenshots in the following folder:
%UserProfile%\My Documents\CopDad\1.1\Screen Spy Images\[USER SID]
Note: [USER SID] is the sid of the user being monitored.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
