||||
Symantec.com > Security Response > Threats and Risks > Spyware.PCWatch
PRINT THIS PAGE

Spyware.PCWatch

Printer Friendly Page

Updated: February 13, 2007 11:44:44 AM
Type: Spyware
Version: 1.01
Publisher: RAC Computers
Risk Impact: Low
File Names: pcwatch.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.PCWatch is installed, it performs the following actions:

  1. Creates the following files:

    • %System%\CapScrn.ocx
    • %System%\DBGRID32.OCX
    • %System%\DBLIST32.OCX
    • %System%\FreeImageX.dll
    • %System%\RICHTX32.OCX
    • %System%\tabctl32.ocx
    • %System%\VB5DB.dll
    • %System%\VB5StKit.dll
    • %Windir%\ST5UNST.EXE
    • C:\Store\capday.dat
    • C:\Store\capnum.dat
    • C:\Store\Friday\Initial.JPG
    • C:\Store\Monday\Initial2.JPG
    • C:\Store\PC Watch Personal and Proffesional 2003.doc
    • C:\Store\pcwatch.cfg
    • C:\Store\pcwatch.exe
    • C:\Store\Saturday\Initial3.JPG
    • C:\Store\ST5UNST.LOG
    • C:\Store\startup.cfg
    • C:\Store\Sunday\Initial4.JPG
    • C:\Store\Thursday\Initial5.JPG
    • C:\Store\Tuesday\Initial6.JPG
    • C:\Store\Wednesday\Initial7.JPG

      Notes:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000010-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000011-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000013-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000014-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000015-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000016-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000017-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000018-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00000019-0000-0010-8000-00AA006D2EA4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00028C00-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00028C03-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00028C04-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00028C08-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00028C0D-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {00028C0E-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {02A69B00-081B-101B-8933-08002B2F4F5A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {32CAAACB-B36E-47E0-A388-93AE3C1A6C82}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {3B7C8860-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {4E54B27F-895D-4B6C-8F37-621FA0FC4018}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {557B6D32-B508-4CDB-AF73-CF9B1C9D8B40}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {78E5A540-1850-11CF-9D53-00AA003C9CB6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {7DA06D40-54A0-11CF-A521-0080C77A7786}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {AB39D9A0-557A-11CF-AEBE-00AA00A8F7F3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {AFC634B0-4B8B-11CF-8989-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {B617B991-A767-4F05-99BA-AC6FCABB102E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {BDC217C5-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {CA4D1C39-9335-4622-9F49-5B6D965DACC6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {D0E0AA20-3082-11CF-AEBE-00AA00A8F7F3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {DE5C2449-65D5-4413-BFCF-6BFCDF294665}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {FAEEE760-117E-101B-8933-08002B2F4F5A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {02A69B02-081B-101B-8933-08002B2F4F5A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {09194000-DF6E-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {09194002-DF6E-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {2FC39DC8-1E37-4550-AE17-0B7BA1E5A9D8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {3B7C8862-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {58FF1147-89E7-4243-BAEE-0855276181D1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {6F9584CB-3DDB-457B-8E8A-740936F5B2FF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {859321D0-3FD1-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {8A214157-8E32-4ED8-A025-C9B6758B5E1B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {8FD8673F-8191-45B9-914F-E23E92413437}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {9F6AA700-D188-11CD-AD48-00AA003C9CB6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {AB14F05E-4C1D-49DC-8BD5-9E6B510B3EBA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {B78B0E98-0431-4A6B-8C3D-F240FE8725F5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {BDC217C7-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {D359BBEE-EB3D-4F7C-9663-389757252561}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {DD57DFFB-4F5C-4E0A-9CB7-ACC72DB83D6D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {ED117630-4090-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {FAEEE762-117E-101B-8933-08002B2F4F5A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {00025E01-0000-0000-C000-000000000046}\4.0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {00028C01-0000-0000-0000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {1FAA49C4-16B7-4D28-8930-31BE1810D943}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {3B7C8863-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {AF709562-19F1-46C5-A1D6-BDE4C1954AE0}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {BDC217C8-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {FAEEE763-117E-101B-8933-08002B2F4F5A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\axsCaptureScrn.axsCapScreen
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.DBEngine.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.Field.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.Group.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.Index.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.PrivateDBEngine.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.QueryDef.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.Relation.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.TableDef.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DAO.User.35
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Application
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Application.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Image
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Image.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Multipage
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Multipage.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Painting
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FreeImage.Painting.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDBCtls.DBCombo
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDBCtls.DBCombo.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDBCtls.DBList
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDBCtls.DBList.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDBGrid.DBGrid
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\3.5
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\DAO
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    App Paths\pcwatch.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\ST5UNST #1
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
  3. Adds the value:

    "PCWatch" = "c:\store\pcwatch.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Adds the following values:

    "ApplicationName" = "pcwatch.exe"
    "DisplayName" = "PC Watch"
    "UninstallString" = "C:\WINDOWS\ST5UNST.EXE -n "C:\Store\ST5UNST.LOG"  "
    "AppToUninstall" = "pcwatch.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST5UNST #1

  5. Logs keystrokes and captures screenshots.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS