||||
Symantec.com > Security Response > Threats and Risks > Spyware.WALogger
PRINT THIS PAGE

Spyware.WALogger

Printer Friendly Page

Updated: February 13, 2007 11:44:57 AM
Type: Spyware
Version: 10.0.25
Publisher: TCB Software
Risk Impact: High
File Names: WALI_LITE_Setup.exe SERVICES.EXE WALIMAIN.exe WALI.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.WALogger is installed, it performs the following actions:
  1. Creates the following files:

    • %System%\CatRoot2\tmp.edb
    • %System%\dllcache\hhctrl.ocx
    • %System%\hh.exe
    • %System%\OLD46.tmp
    • %System%\RICHTX32.OCX
    • %System%\TABCTL32.OCX
    • %System%\UNIPro4TCBS.ocx
    • %System%\VB6STKIT.DLL
    • %System%\WALI\SVCS\1151211099711011610199.al - log file
    • %System%\WALI\SVCS\readme.txt
    • %System%\WALI\SVCS\SERVICES.EXE - log process
    • %System%\WALI\SVCS\UGF.bin
    • %System%\WALI\SVCS\unins000.dat
    • %System%\WALI\SVCS\unins000.exe
    • %System%\WALI\SVCS\wali0
    • %System%\WALI\SVCS\WALIHelp.chm
    • %System%\WALI\SVCS\WALIMAIN.exe - main gui
    • %System%\WALI\SVCS\WALIMAIN.exe.manifest
    • %System%\WALI.dll
    • %Windir%\LastGood\system32\hhctrl.ocx

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93AAC05D-B974-4770-A9EE-92EFE7A59A85}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA6AF311-61FA-468B-BB20-303BFA6B6C6B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51CF22E-E6B3-498F-A9A5-80E80E9E06BD}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8FB10DD5-CC4F-4D5C-B8E9-E45BE911DE2A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UNIPro.uUNIPro
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Activity Logging Interface_is1
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI

  3. Adds the value:

    "WSVCS" = "%System%\WALI\SVCS\SERVICES.EXE"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Adds the value:

    "AlternateCLSID" = "{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}

  5. Logs keystrokes.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS