Spyware.ActMon

Printer Friendly Page

Updated: December 8, 2006 3:32:03 AM

Type: Spyware

Name: ActMon Computer Monitoring

Version: 5.20

Publisher: ActMon Software

Risk Impact: High

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

Spyware.ActMon is spyware that logs keystrokes and captures screenshots silently. This spyware can email logs to a pre-defined address.

Once executed, the spyware creates the following files:
%UserProfile%\Application Data\syswin\[USERNAME].dat
%UserProfile%\Application Data\syswin\SupportLog_[USERNAME].txt
%UserProfile%\Desktop\actmon-cm-setup.exe
%UserProfile%\Start Menu\Programs\ActMonCM\ActMon CM Control Center.lnk
%UserProfile%\Start Menu\Programs\ActMonCM\ActMon Computer Monitoring Manual.lnk
%System%\drivers\wskrnlc.sys
%System%\acm-manual.chm
%System%\acmcc.exe
%System%\rbwinx1.dll
%System%\wskrnl.exe
%System%\wskrnlb.dll
%System%\wskrnlb.exe
%System%\wskrnlc.dll
%System%\wskrnlc.vxd
%System%\wskrnld.dll
%System%\wskrnle.dll

It then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\srvprc
HKEY_LOCAL_MACHINE\SOFTWARE\wskrnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wskrnlc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wskrnlc

The risk then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"srvprc" = ""%System%\srvprc.exe" -at"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"wskrnl" = ""%System%\wskrnl.exe" -at"

The risk also modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"UpperFilters" = "kbdclass[EXTENDED ASCII CHARACTER 191]wskrnlc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"UpperFilters" = "kbdclass[EXTENDED ASCII CHARACTER 191]wskrnlc"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\ACPI\PNP0303\4&5289e18&0\Control\"ActiveService" = "wskrnlc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0303\4&5289e18&0\Control\"ActiveService" = "wskrnlc"

The risk then logs keystrokes and captures screenshots silently.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}