||||
Symantec.com > Security Response > Threats and Risks > Spyware.Watchdog
PRINT THIS PAGE

Spyware.Watchdog

Printer Friendly Page

Updated: February 13, 2007 11:48:13 AM
Type: Spyware
Risk Impact: High
File Names: %Windir%\Wdc\AppChat.WD %Windir%\Wdc\Ijl11.dll %Windir%\Wdc\omnithread_rt.dll %Windir%\Wdc\remo
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.Dogwatch is executed, it performs the following actions:
  1. Creates the following folders:

    • %Windir%\Wdc
    • %Windir%\Wdc\Logfiles
    • %UserProfile%\Start Menu\Programs\Watchdog II Server
    • %ProgramFiles%\Watchdog II Server
    • %ProgramFiles%\Watchdog II Server\Setup

      Notes:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files:

    • %Windir%\Wdc\AppChat.WD
    • %Windir%\Wdc\Ijl11.dll
    • %Windir%\Wdc\omnithread_rt.dll
    • %Windir%\Wdc\remote.exe
    • %Windir%\Wdc\Replace.exe
    • %Windir%\Wdc\VBKeyboardHook.dll
    • %Windir%\Wdc\VNCHooks.dll
    • %Windir%\Wdc\Wdc.exe
    • %UserProfile%\Start Menu\Programs\Watchdog II Server\Watchdog II Server.lnk
    • %ProgramFiles%\Watchdog II Server\ELicense.txt
    • %ProgramFiles%\Watchdog II Server\INSTALL.LOG
    • %ProgramFiles%\Watchdog II Server\License.txt
    • %ProgramFiles%\Watchdog II Server\Replace.exe
    • %ProgramFiles%\Watchdog II Server\UNWISE.EXE
    • %ProgramFiles%\Watchdog II Server\WatchDog.exe
    • %ProgramFiles%\Watchdog II Server\WatchDog2.chm

  3. Creates the following non-malicious files, which may be used by other applications:

    • %System%\mswinsck.ocx
    • %System%\Richtx32.ocx
    • %System%\SMTP.ocx
    • %System%\Vb6stkit.dll
    • %System%\asycfilt.dll
    • %System%\comcat.dll
    • %System%\msvbvm60.dll
    • %System%\oleacc.dll
    • %System%\oleaut32.dll
    • %System%\olepro32.dll
    • %System%\riched32.dll
    • %System%\stdole2.tlb
    • %System%\Comdlg32.ocx
    • %System%\Mscomct2.ocx
    • %System%\Mscomctl.ocx
    • %System%\Msflxgrd.ocx

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  4. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\RHOMBUS
    HKEY_LOCAL_MACHINE\SOFTWARE\RHOMBUS\REMOTEDESKTOP
    HKEY_LOCAL_MACHINE\SOFTWARE\RHOMBUS\REMOTEDESKTOP\Default
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    \Watchdog II Server
    HKEY_ALL_USERS\Software\RHOMBUS
    HKEY_ALL_USERS\Software\RHOMBUS\REMOTEDESKTOP
    HKEY_ALL_USERS\Software\RHOMBUS\RhomHooks
    HKEY_ALL_USERS\Software\RHOMBUS\RhomHooks\Application_Prefs
    HKEY_ALL_USERS\Software\RHOMBUS\RhomHooks\Application_Prefs\remote.exe
    HKEY_ALL_USERS\Software\VB and VBA Program Settings
    HKEY_ALL_USERS\Software\VB and VBA Program Settings\WDCLIENT
    HKEY_ALL_USERS\Software\VB and VBA Program Settings\WDCLIENT\SETUP
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer
    \MenuOrder\Start Menu\Programs\Watchdog II Server
    HKEY_ALL_USERS\Software\VB and VBA Program Settings
    HKEY_ALL_USERS\Software\VB and VBA Program Settings\WDSERVERDE
    HKEY_ALL_USERS\Software\VB and VBA Program Settings\WDSERVERDE\STARTUP

  5. Creates numerous legitimate registry subkeys associated with the non-malicious components mentioned above.

  6. Adds the values:

    "Wdc" = "%Windows%\Wdc\Wdc.exe"
    "Remote" = "%Windows%\Wdc\remote.exe"

    to the registry subkeys:

    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  7. Executes the client component on the computer that is to be monitored.

  8. Allows the client component to be remotely controled and configured by the server component.

  9. Logs keystrokes, applications run on the computer, URLs visited, and chats.

  10. Captures screenshots.

  11. Blocks applications or URLs.

  12. Stores logged data locally but can be imported and viewed by the server component.

  13. Sends logged data via email.

  14. Runs WinVnc silently so that the server component can take control of input devices such as the mouse and the keyboard on the monitored computer.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS