1. /
  2. Security Response/
  3. Spyware.PowerSpy

Spyware.PowerSpy

Updated:
February 13, 2007 11:47:55 AM
Type:
Spyware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.PowerSpyk is run it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\Power Spy\help.chm
    • %ProgramFiles%\Power Spy\License.txt
    • %ProgramFiles%\Power Spy\PCJB.exe
    • %ProgramFiles%\Power Spy\readme.txt
    • %ProgramFiles%\Power Spy\unins000.dat
    • %ProgramFiles%\Power Spy\unins000.exe
    • %System%\windll32.exe
    • %System%\regsvcdll.exe
    • %System%\file.emx (A log file.)
    • %System%\psuser.ini (A JMail configuration file that contains the email address that the stored data is sent to.)

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Adds the value:

    "regsvcdll" = "%System%\regsvcdll.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it is executed every time Windows starts.

  3. Drops a number of 3rd-party DLLs in %System% folder and registers them using regsvr32.exe. A number of registry entries will therefore be associated with these 3rd-party libraries. The following is a list of legitimate .dll files created by the risk:

    • %System%\comdlg32.ocx
    • %System%\MSCOMCTL.OCX
    • %System%\mscomct2.ocx
    • %System%\TABCTL32.OCX
    • %System%\Vic32.dll

  4. Drops a number of 3rd-party DLLs in %System% folder using different names than their original file names. It registers these using regsvr32.exe. A number of registry entries will therefore be associated with these 3rd-party libraries. The following is a list of legitimate .dll files created by the risk:

    • %System%\p21.dat (A copy of oleacc.dll)
    • %System%\p22.dat (A copy of msinet.ocx)
    • %System%\p23.dat (A copy of mswinsk.ocx)
    • %System%\p20.dat (A copy of jmail.dll)
    • %System%\emx1.dat (A copy of ciaxpbutton20.ocx)
    • %System%\emx6.dat (A copy of ciaResSvr20.ocx)
    • %System%\emx10.dat (A copy of ciaSubClsSvr.dll)
    • %System%\emx11.dat (A copy of ciaXPRegSvr20.dll)

  5. Logs the following information from the computer:

    • Keystrokes
    • Screen snapshots
    • Web sites visited
    • Folders visited
    • Programs run
    • Chat conversations

  6. Sends this information to a configurable email address. The information can also be viewed on the local computer.

  7. Runs in stealth mode, which makes it invisible to the user.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver