||||
Symantec.com > Security Response > Threats and Risks > Spyware.ComSpySysSvr
PRINT THIS PAGE

Spyware.ComSpySysSvr

Printer Friendly Page

Updated: February 13, 2007 11:46:20 AM
Type: Spyware
Version: 1.1
Publisher: Munart SRL
Risk Impact: High
File Names: key.dll The_Eye.exe Setup CSS.msi CSSServer.exe CSS Data Manager.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.ComSpySysSvr is installed, it performs the following actions:

  1. Creates the following files:

    • [RANDOM FOLDER]\key.dll
    • [RANDOM FOLDER]\The_Eye.exe
    • %UserProfile%\Start Menu\Programs\Computer Spying System\Computer Spying System Help.lnk
    • %UserProfile%\Start Menu\Programs\Computer Spying System\CSS Data Manager.lnk
    • %UserProfile%\Start Menu\Programs\Computer Spying System\CSSServer.lnk
    • %ProgramFiles%\Munart\CSS\ComputerSpyingSystem.chm
    • %ProgramFiles%\Munart\CSS\CSS Data Manager.exe
    • %ProgramFiles%\Munart\CSS\CSSServer.exe
    • %ProgramFiles%\Munart\CSS\csssettings.dat
    • %ProgramFiles%\Munart\CSS\EULA Computer Spying System.rtf
    • %ProgramFiles%\Munart\CSS\key.dll
    • %ProgramFiles%\Munart\CSS\The_Eye.exe
    • %System%\Temp\[date].jpg
    • %System%\Temp\keys.ktm

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes
    \ECE9CF640C19F064B84B575037320481
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    \{49865713-16CE-46C6-BE8A-DF022D50C497}
    HKEY_LOCAL_MACHINE\SOFTWARE\Munart
    HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\31756894EC616C64EBA8FD20D2054C79
    HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\31756894EC616C64EBA8FD20D2054C79
    HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\ECE9CF640C19F064B84B575037320481
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
    \Start Menu2\Programs\Computer Spying System
    HKEY_CURRENT_USER\Software\Munart

  3. Adds the following values:

    "CSS Server" = "%ProgramFiles%\Munart\CSS\CSSServer.exe"
    "display" = "    [RANDOM FOLDER]\The_Eye.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  4. Adds the following values:

    "%UserProfile%\Start Menu\Programs\Computer Spying System\" = "1"                                  
    "%ProgramFiles%\Munart\CSS\" = ""
    "%ProgramFiles%\Munart\" = ""                                                                      
    "%UserProfile%\Application Data\Microsoft\Installer\{49865713-16CE-46C6-BE8A-DF022D50C497}\" = ""  

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
  5. Capture screenshots and send it predefined IP address.

Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS