1. /
  2. Security Response/
  3. Spyware.ActMon

Spyware.ActMon

Updated:
December 8, 2006 3:32:03 AM
Type:
Spyware
Name:
ActMon Computer Monitoring
Version:
5.20
Publisher:
ActMon Software
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Spyware.ActMon is spyware that logs keystrokes and captures screenshots silently. This spyware can email logs to a pre-defined address.

Once executed, the spyware creates the following files:
%UserProfile%\Application Data\syswin\[USERNAME].dat
%UserProfile%\Application Data\syswin\SupportLog_[USERNAME].txt
%UserProfile%\Desktop\actmon-cm-setup.exe
%UserProfile%\Start Menu\Programs\ActMonCM\ActMon CM Control Center.lnk
%UserProfile%\Start Menu\Programs\ActMonCM\ActMon Computer Monitoring Manual.lnk
%System%\drivers\wskrnlc.sys
%System%\acm-manual.chm
%System%\acmcc.exe
%System%\rbwinx1.dll
%System%\wskrnl.exe
%System%\wskrnlb.dll
%System%\wskrnlb.exe
%System%\wskrnlc.dll
%System%\wskrnlc.vxd
%System%\wskrnld.dll
%System%\wskrnle.dll

It then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\srvprc
HKEY_LOCAL_MACHINE\SOFTWARE\wskrnl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wskrnlc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wskrnlc

The risk then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"srvprc" = ""%System%\srvprc.exe" -at"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"wskrnl" = ""%System%\wskrnl.exe" -at"

The risk also modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"UpperFilters" = "kbdclass[EXTENDED ASCII CHARACTER 191]wskrnlc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"UpperFilters" = "kbdclass[EXTENDED ASCII CHARACTER 191]wskrnlc"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\ACPI\PNP0303\4&5289e18&0\Control\"ActiveService" = "wskrnlc"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0303\4&5289e18&0\Control\"ActiveService" = "wskrnlc"

The risk then logs keystrokes and captures screenshots silently.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver