||||
Symantec.com > Security Response > Threats and Risks > Spyware.WebPI
PRINT THIS PAGE

Spyware.WebPI

Printer Friendly Page

Updated: February 13, 2007 11:45:05 AM
Type: Spyware
Version: 2.51
Publisher: Softec Enterprises, Inc.
Risk Impact: High
File Names: wpi251.exe - installer sftmouse.dll SoftKey.dll ks.exe mc.exe ws.exe wssys.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Adware.Starware is installed, it performs the following actions:
    1. Creates the following files:

      • %UserProfile%\Desktop\WebPI.LNK
      • %UserProfile%\Start Menu\Programs\WebPI.LNK
      • %System%\GVBOX.ocx
      • %System%\GVJPEG32.DLL
      • %System%\hooklib.dll
      • %System%\sftmouse.dll (detected as Spyware.WebPI)
      • %System%\SoftKey.dll (detected as Spyware.WebPI)
      • %System%\VB5StKit.dll
      • %Windir%\ST5UNST.EXE
      • %Windir%\wssys\diskspace.sys
      • %Windir%\wssys\down.gif
      • %Windir%\wssys\key\ks.sys
      • %Windir%\wssys\ks.exe (detected as Spyware.WebPI)
      • %Windir%\wssys\mc.exe (detected as Spyware.WebPI)
      • %Windir%\wssys\scr\[Date_Time].SYS
      • %Windir%\wssys\ST5UNST.LOG
      • %Windir%\wssys\up.gif
      • %Windir%\wssys\WPIUnst.exe
      • %Windir%\wssys\ws.exe (detected as Spyware.WebPI)
      • %Windir%\wssys\wssys.cnt
      • %Windir%\wssys\wssys.exe (detected as Spyware.WebPI)
      • %Windir%\wssys\WSSYS.HLP
      • %System%\SYSINFO.OCX

        Notes:
      • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
      • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

    2. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA438A1-2530-11D2-9D84-00C04F7FB7C4}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA438A4-2530-11D2-9D84-00C04F7FB7C4}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7EDC300-766F-11CF-A64F-0020AF37425D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FBA474B-43AC-11CE-9A0E00AA0062BB4C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7EDC301-766F-11CF-A64F-0020AF37425D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7EDC302-766F-11CF-A64F-0020AF37425D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6FBA474BC-43AC-11CE-9A0E00AA0062BB4C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6FBA474D-43AC-11CE-9A0E00AA0062BB4C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7EDC303-766F-11CF-A64F-0020AF37425D}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Typelib\{6FBA474E-43AC-11CE-9A0E00AA0062BB4C}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GVBOX.GvboxCtrl.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ws.exe
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\wssys

    3. Adds the value:

      "wssys" = "%Windir%\wssys\wssys.exe"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run

      so that the risk runs every time Windows starts.

    4. Modifies the value:

       "(Default)" = "{97177EBC-0C54-11D0-B407-00AA00C14969}"

      in the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib

    5. Logs keystrokes and captures screenshots.


    Search by name
    Example: W32.Beagle.AG@mm
    Limited Time Offers! Save up to 50%
    Windows Vista Security
    ©1995 - 2009 Symantec Corporation
    Site Map|
    Legal Notices|
    Privacy Policy|
    |
    Contact Us|
    Global Sites|
    License Agreements|
    RSS