Updated: February 13, 2007 11:40:24 AM
Type: Spyware
Risk Impact: Medium
File Names:
Track4WinMon.exe
STMonitor.dll
STMonitor.exe
STOptions.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Spyware.TwoSeven is executed, it performs the following actions:
- Creates the following folders and files:
- C:\Program Files\0000000
- C:\Program Files\0000000\0000000.url: Contains URL=0
- C:\Documents and Settings\All Users\Start Menu\Programs\0000000
- C:\Documents and Settings\All Users\Start Menu\Programs\0000000\Disclaimer.lnk: Link to C:\Program Files\0000000\0000000.url
- C:\Documents and Settings\All Users\Start Menu\Programs\0000000\Uninstall.lnk: Link to C:\Program Files\0000000\0000000.url
- C:\Program Files\0000000\mswinindex.exe: Copy of Spyware.TwoSeven
- Adds the value:
"mmxrun"="C:\Program Files\0000000\mswinindex.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that Spyware.TwoSeven runs every time Windows starts.
- Adds the value:
"MMXRunFlag"="[random character]ccessories"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
- Monitors the titlebars of every running window for the following strings:
- alexa
- hotbot
- overture
- walhello
- tecnoseek
- splatsearch
- tuttonet
- simpatico.it
- siciliano
- sharelook
- www.rosenet.it
- palcoscenico
- ladysilvia
- MavicaNet
- GoSeekIt
- Ischia
- Il trovatore
- cavarzano.com
- dominitaliani
- goldenclic
- Abacho
- MetaCrawler
- Open Directory
- Excite
- Arianna
- godado.it:
- supereva
- Kataweb
- Tiscali
- EDintorni
- Lycos
- MSN Search
- Xupiter.com
- Altavista:
- Yahoo!
- VIRGILIO
- alltheweb.com
- Google
- Sends query information from the above search engines to a predetermined site.
- Attempts to download and run a program from a predetermined site that is now defunct.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
