Updated: February 13, 2007 11:46:41 AM
Type: Spyware
Publisher: SoftProbe
Risk Impact: High
File Names:
spsvc.exe
spdll.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Hacktool.Spagent is executed, it performs the following actions:
- Copies itself as one of following files:
- %System%\spsvc.exe.
- %System%\svcsp32.exe
- %System%\regsp3.exe
- %System%\exp2sp.exe
- %System%\win32sp.exe
- %Windir%\svcsp32.exe
- %Windir%\regsp3.exe
- %Windir%\exp2sp.exe
- %Windir%\win32sp.exe
Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).
- Creates the following files:
- %Userprofile%\All Users\Application Data\SoftProbe\[CURRENT USER].tmp
- %Userprofile%\All Users\Application Data\SoftProbe\[COMPUTER NAME]_[CURRENT USER].spd
- %Userprofile%\[User Name]\Application Data\SoftProbe\data\[COMPUTER NAME]_[CURRENT USER].bck
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- Adds the value:
"spsvc" = "%System%\spsvc.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
- May create the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\spagent
- Hooks all keyboard and mouse events and stores this and related information, such as the window title, into log files. These files can be accessed remotely.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
