||||
Symantec.com > Security Response > Threats and Risks > Spyware.SpymodePCSpy
PRINT THIS PAGE

Spyware.SpymodePCSpy

Printer Friendly Page

Updated: February 13, 2007 11:39:36 AM
Type: Spyware
Version: Version 4
Publisher: www.spymode.com
Risk Impact: High
File Names: main.exe memaker2.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.SpymodePCSpy is installed, it performs the following actions:
  1. Copies the following files, if they are not already present:

    • %Windir%\System\memaker2.txt
    • %Windir%\System\memaker2.exe
    • %Windir%\winmem132.dat
    • %System%\comdlg32.ocx
    • %System%\mswinsck.ocx
    • %UserProfile%\Local Settings\Temp\*.tmp

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • comdlg32.ocx is a legitimate Microsoft ActiveX Control file
    • mswinsck.ocx is a legitimate Microsoft Winsock Control file

  2. Modifies the value:

    "pst" = "C:\WINDOWS\system\memaker2.exe"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the adware is executed every time Windows starts.

  3. Modifies the value:

    "wrn" = "unr"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

  4. Creates the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\pcs

  5. Creates the following legitmate registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\MSWinsock.Winsock
    HKEY_CLASSES_ROOT\MSWinsock.Winsock.1


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS