||||
Symantec.com > Security Response > Threats and Risks > Spyware.Intelliflag
PRINT THIS PAGE

Spyware.Intelliflag

Printer Friendly Page

Updated: February 13, 2007 11:47:50 AM
Type: Spyware
Risk Impact: High
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003


When Spyware.Intelliflag is executed, it performs the following actions:
  1. Creates the following files:

    • C:\Program Files\Intelliflag Content Monitor\application_list.txt
    • C:\Program Files\Intelliflag Content Monitor\CM_AL.exe
    • C:\Program Files\Intelliflag Content Monitor\CM_MS.exe
    • C:\Program Files\Intelliflag Content Monitor\CM_YC.exe
    • C:\Program Files\Intelliflag Content Monitor\CryptKci.dll
    • C:\Program Files\Intelliflag Content Monitor\EM_OE.exe
    • C:\Program Files\Intelliflag Content Monitor\EM_OU.exe
    • C:\Program Files\Intelliflag Content Monitor\Gen_Config.enc
    • C:\Program Files\Intelliflag Content Monitor\help.chm
    • C:\Program Files\Intelliflag Content Monitor\IntelliFlag.exe
    • C:\Program Files\Intelliflag Content Monitor\IntelliFlag.exe.PreARM
    • C:\Program Files\Intelliflag Content Monitor\Intelliflagcm.arm
    • C:\Program Files\Intelliflag Content Monitor\Intelliflagcm.Stats
    • C:\Program Files\Intelliflag Content Monitor\Intelliflag_be.exe
    • C:\Program Files\Intelliflag Content Monitor\KM.exe
    • C:\Program Files\Intelliflag Content Monitor\Logs\Keystrokes\0116200610.log
    • C:\Program Files\Intelliflag Content Monitor\MSSCCPRJ.SCC
    • C:\Program Files\Intelliflag Content Monitor\Site_List.enc
    • C:\Program Files\Intelliflag Content Monitor\Site_Words.enc
    • C:\Program Files\Intelliflag Content Monitor\SM_IE.exe
    • C:\Program Files\Intelliflag Content Monitor\SM_NS.exe
    • C:\Program Files\Intelliflag Content Monitor\unins000.dat
    • C:\Program Files\Intelliflag Content Monitor\unins000.exe

  2. Installs the following clean files if they do not already exist on the compromised computer:

    • C:\WINDOWS\system32\msvbvm60.dll (A Microsoft Visual Basic library).
    • C:\WINDOWS\system32\COMDLG32.OCX (A Microsoft Control library).
    • C:\WINDOWS\system32\CryptKci.dll (A Freeware Encryption library).
    • C:\WINDOWS\system32\mscomctl.ocx (A Microsoft Control library).
    • C:\WINDOWS\system32\MSFLXGRD.OCX (A Microsoft Control library).
    • C:\WINDOWS\system32\Msinet.ocx (A Microsoft Control library).
    • C:\WINDOWS\system32\MS[8 RANDOM CHARACTERS].dll (An encrypted log file)
    • C:\WINDOWS\system32\MSWINSCK.OCX (A Microsoft Control library).
    • C:\WINDOWS\system32\[8 RANDOM CHARACTERS].cnt (An encrypted log file).
    • C:\WINDOWS\system32\Sen10L2.dll (A registration library).
    • C:\WINDOWS\system32\SmartMenuXP.ocx (A Shareware menu control).
    • C:\WINDOWS\system32\TABCTL32.OCX (A Microsoft Control library).
    • C:\WINDOWS\system32\VB6STKIT.DLL (A Visual Basic Setup Toolkit library).
    • C:\WINDOWS\system32\vbSendMail.dll (A Shareware EMail library).
    • C:\WINDOWS\system32\vbskpro2.ocx (A Shareware Skins Control).
    • C:\WINDOWS\[8 RANDOM CHARACTERS].log (An encrypted log file).
    • C:\WINDOWS\[8 RANDOM CHARACTERS].dat (An encrypted log file).
    • C:\[8 RANDOM CHARACTERS].001 (An encrypted log file).
    • C:\[8 RANDOM CHARACTERS].sys (An encrypted log file).

  3. Adds the value:

    "Intelliflag_be.exe" = "C:\Program Files\Intelliflag Content Monitor\Intelliflag_be.exe"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Adds the value:

    "(Default)" = "Program Files\Intelliflag Content Monitor\Intelliflag.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Intelliflag.exe

  5. Adds the value:

    "C:\WINDOWS\system32\Sen10L2.dll" = "1"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

  6. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intelliflag Content Monitor_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\Intelliflag
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE51DE2E-2FA0-4451-9241-8CFE5A2F9869}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E3324155-5645-4D6A-B0F2-89266B291C4F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    \{05F35AA2-D3CC-4041-890C-046E9910D6BF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SEN10L2.Registration

    This risk also creates registry keys associated with shareware applications and Microsoft components, which may be unsafe to delete as they can be used by other legitimate applications.

  7. Logs keystrokes, Web sites visited, and instant message conversations. The logs can be sent to a configurable email address.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS