Spyware.WSLogger

Printer Friendly Page

Updated: February 13, 2007 11:46:56 AM

Type: Spyware

Version: 2.0.2

Publisher: Cromosoft Technologies

Risk Impact: High

File Names: wslogger.exe svchost .exe bootldr.exe

Systems Affected: Windows 2000, Windows 98, Windows CE, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.WSLogger is executed, it performs the following actions:

Creates the following files:
- %UserProfile%\Desktop\WS Logger.lnk
- %UserProfile%\Start Menu\Programs\WinSession Logger\Purchase WinSession Logger now!.lnk
- %UserProfile%\Start Menu\Programs\WinSession Logger\Readme File.lnk
- %UserProfile%\Start Menu\Programs\WinSession Logger\Uninstall WinSession Logger.lnk
- %ProgramFiles%\WSLogger\buy_WinSession.url
- %ProgramFiles%\WSLogger\CONFIG.wsl
- %ProgramFiles%\WSLogger\help.cnt
- %ProgramFiles%\WSLogger\help.hlp
- %ProgramFiles%\WSLogger\install.exe
- %ProgramFiles%\WSLogger\readme.txt
- %ProgramFiles%\WSLogger\sp.ini
- %ProgramFiles%\WSLogger\state mail.txt
- %ProgramFiles%\WSLogger\unins000.dat
- %ProgramFiles%\WSLogger\unins000.exe
- %ProgramFiles%\WSLogger\wslogger.exe (detected as Spyware.WSLogger)
- %UserProfile%\Local Settings\Temp\is-HLK68.tmp\WPcap3_nogui.exe(installer for WinPCap: The Windows Packet Library)
- %System%\9500\svchost.exe (detected as Spyware.WSLogger)
- %System%\bootldr.exe (detected as Spyware.WSLogger)
- %System%\conwxrl.bin
- %System%\delservicew.exe
- %System%\digiwin.dll (detected as Spyware.WSLogger)
- %System%\exwin32m.exe (detected as Spyware.WSLogger)
- %System%\Nxkernel32.dll (detected as Spyware.WSLogger)
- %System%\svchost .exe (detected as Spyware.WSLogger)
- %System%\svclsv.exe
- %WinDir%\YourWarning.txt
- %WinDir%\vacio
  
  Notes:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EBT9L2DB0-B607-11d2-9CBD-0000F87A369E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinSession Logger_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mcap4_software HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\subsystem64r
Adds the value:

"xbtl" = "C:\Windows\system32\bootldr.exe"

to the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.
Creates a service with the following characteristic:

Display Name: Check Running Software
Gathers sensitive and confidential information, including:
- All keystrokes typed
- Web sites visited
- Windows opened
- Instant messaging conversations
- Text and images from the clipboard
- Screenshots
May send this information to a preconfigured email address or upload it to an FTP site.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}