||||
Symantec.com > Security Response > Threats and Risks > Spyware.PCPolice
PRINT THIS PAGE

Spyware.PCPolice

Printer Friendly Page

Updated: February 13, 2007 11:45:12 AM
Type: Spyware
Publisher: Digital Future
Risk Impact: High
File Names: ppagnt.exe ppenvoke.exe ppsvc.exe ppsvcsys.htm unins000.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.PCPolice is installed, it does the following:
  1. Creates the following files:

    • %System%\ppagnt.exe
    • %System%\ppenvoke.exe
    • %System%\ppsvc.exe
    • %System%\ppsvcsys.htm
    • %System%\unins000.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the following keys to the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A49D3912-4211-11D4-B85F-00B0D040070E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57506911-EDA2-4815-810B-7C55A685DA51}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FB91338-D8D6-4431-B490-8388D37AFE96}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A24154AB-E52F-4F9F-91A0-4E3E243BEDBE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A34B63B9-8FD8-4004-BED1-4E6E587B5175}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A49D3911-4211-11D4-B85F-00B0D040070E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A49D3913-4211-11D4-B85F-00B0D040070E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A49D3905-4211-11D4-B85F-00B0D040070E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.Attachment
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.CustomHeader
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.SMTPSession
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemHook.SysHook
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemHook.SysHook.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c

    And adds the subkeys and values to them to set the flags and configurations.

  3. Adds the value:

    "PPSVC"="[path to Spyware.PCPolice]"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts. 


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS