Spyware.WinRecon

Printer Friendly Page

Updated: February 13, 2007 11:45:07 AM

Type: Spyware

Version: 2.63

Publisher: WinRecon

Risk Impact: High

File Names: WinRecon.exe (installer) Dataview.exe (log viewer) WinRecon.exe (viral file)

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Spyware.WinRecon is installed, it performs the following actions:

Creates the following files:
- %UserProfile%\Start Menu\Programs\WinRecon\WinRecon.lnk
- %ProgramFiles%\WinRecon\codex.exe
- %ProgramFiles%\WinRecon\condex.exe
- %ProgramFiles%\WinRecon\Dataview.exe (viral)
- %ProgramFiles%\WinRecon\hand.cur
- %ProgramFiles%\WinRecon\LICENSE.TXT
- %ProgramFiles%\WinRecon\sp5.exe
- %ProgramFiles%\WinRecon\uninstal.exe
- %ProgramFiles%\WinRecon\uninstal.ini
- %ProgramFiles%\WinRecon\WinRecon.exe (viral)
- %System%\CatRoot2\tmp.edb
- %System%\kpAccess.dll
- %System%\kpsc.ocx
- %System%\kpunzip.dll
- %System%\kpview.ocx
- %System%\kpzip.dll
- %System%\RICHTX32.OCX
- %System%\VB6STKIT.DLL
- %System%\COMDLG32.OCX
- %System%\config\software
- %System%\config\software.LOG
- %System%\MSSTDFMT.DLL
- %System%\MSWINSCK.OCX
- %System%\riched32.dll
- %System%\TABCTL32.OCX
- %Windir%\LastGood\INF\oem5.inf
- %Windir%\LastGood\INF\oem5.PNF
- %Windir%\LastGood\System32\ASYCFILT.DLL
- %Windir%\LastGood\System32\COMCAT.DLL
- %Windir%\LastGood\System32\MSVBVM60.DLL
- %Windir%\LastGood\System32\OLEAUT32.DLL
- %Windir%\LastGood\System32\OLEPRO32.DLL
- %Windir%\LastGood\System32\STDOLE2.TLB
  
  Notes:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
Creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3EDF892D-D60F-4E94-83BC-A93BC4C91D1D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3065315-1D2C-4992-8F24-57FEF0E1DCB5} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09D14D02-1C28-4EA5-9D34-101E6A1C688F} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4008A442-D2E8-4A64-8BBA-F145CA9D60C9} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D0E090C1-F267-4152-B718-EFB01B139522} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3DE1EFF-67BA-4317-89D7-BB60FC26E414} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1CA5F9A1-DA0A-4C31-8C7F-81B497EAD912} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F2DDA1D5-C5A2-4149-9D82-3B7ABE4CB411} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\kpsc.kpscEnc HKEY_LOCAL_MACHINE\SOFTWARE\Classes\kpview1.kpview HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRecon HKEY_LOCAL_MACHINE\SOFTWARE\Arboc HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood
Adds the value:

"WinRecon v.2.63" = "C:\Program Files\WinRecon"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Gentee\Paths
Modifies the value:
"(DEFAULT)" ="{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLibHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib
Modifies the value:
"(DEFAULT)" = "%System%\MSWINSCK.OCX"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32
Modifies the value:
"(DEFAULT)" = "%System%\MSWINSCK.OCX, 1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
Modifies the value:
"(DEFAULT)" = "%System%\TABCTL32.OCX"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\0\win32
Modifies the value:
"(DEFAULT)" = "%System%\TABCTL32.OCX, 1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\ToolboxBitmap32
Logs keystrokes and takes screenshots.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}