Spyware.ESurveiller

Printer Friendly Page

Updated: February 13, 2007 11:48:34 AM

Type: Spyware

Risk Impact: Medium

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.ESurveiller is installed, it performs the following actions:

Creates the following files:
- %UserProfile%\Application Data\SurveilleTech\e-Surveiller\LogDB\C0000000
- %UserProfile%\Application Data\SurveilleTech\e-Surveiller\LogDB\cfgdb.idx
- %UserProfile%\Application Data\SurveilleTech\e-Surveiller\LogDB\logdb.idx
- %UserProfile%\Desktop\e-Surveiller Station.lnk
- %UserProfile%\Start Menu\Programs\e-Surveiller\e-Surveiller Help.lnk
- %UserProfile%\Start Menu\Programs\e-Surveiller\e-Surveiller log viewer.lnk
- %UserProfile%\Start Menu\Programs\e-Surveiller\e-Surveiller Station.lnk
- %UserProfile%\Start Menu\Programs\e-Surveiller\Ordering Information.lnk
- %UserProfile%\Start Menu\Programs\e-Surveiller\Read Me.lnk
- %UserProfile%\Start Menu\Programs\e-Surveiller\Uninstall e-Surveiller.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\e-Surveiller\e-Surveiller Help.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\e-Surveiller\e-Surveiller log viewer.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\e-Surveiller\e-Surveiller Station.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\e-Surveiller\Ordering Information.lnk
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\e-Surveiller\Read Me.lnk
- %ProgramFiles%\e-Surveiller\alert.wav
- %ProgramFiles%\e-Surveiller\Build\asycfilt.bin
- %ProgramFiles%\e-Surveiller\Build\COMCAT.bin
- %ProgramFiles%\e-Surveiller\Build\deactive.BIN
- %ProgramFiles%\e-Surveiller\Build\install.BIN
- %ProgramFiles%\e-Surveiller\Build\install.ico
- %ProgramFiles%\e-Surveiller\Build\makensis.exe
- %ProgramFiles%\e-Surveiller\Build\MON.BIN
- %ProgramFiles%\e-Surveiller\Build\msvbvm50.bin
- %ProgramFiles%\e-Surveiller\Build\MSWINSCK.BIN
- %ProgramFiles%\e-Surveiller\Build\oleaut32.bin
- %ProgramFiles%\e-Surveiller\Build\olepro32.bin
- %ProgramFiles%\e-Surveiller\Build\stdole2.bin
- %ProgramFiles%\e-Surveiller\eshelp.chm
- %ProgramFiles%\e-Surveiller\esicons.fon
- %ProgramFiles%\e-Surveiller\eSRead.exe
- %ProgramFiles%\e-Surveiller\eStation.exe
- %ProgramFiles%\e-Surveiller\eSUpdate.exe
- %ProgramFiles%\e-Surveiller\esviewer.chm
- %ProgramFiles%\e-Surveiller\JPeg32.dll
- %ProgramFiles%\e-Surveiller\order.htm
- %ProgramFiles%\e-Surveiller\orderonline.gif
- %ProgramFiles%\e-Surveiller\ReadMe.txt
- %ProgramFiles%\e-Surveiller\uninstall.exe
- %ProgramFiles%\e-Surveiller\zlib.dll
- %UserProfile%\Application Data\Microsoft\Internet Explorer\apps.ini
- %CurrentFolder%\[RANDOM FILE NAME].exe
  
  When one of these files, %CurrentFolder%\[RANDOM FILE NAME].exe, is executed is it drops the following files:
- %System%\[RANDOM FILE NAME].exe
- %System%\[RANDOM FILE NAME].ini
- %System%\[RANDOM FILE NAME].tmp
  
  The names of these files will be the same as the %CurrentFolder%\[RANDOM FILE NAME].exe file dropped by the risk.
  
  Notes:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following legitimate files, which may be used by other programs:
- %UserProfile%\Local Settings\Temp\RICHED32.DLL
- %System%\comdlg32.ocx
- %System%\mscomct2.ocx
- %System%\mscomctl.ocx
- %System%\mswinsck.ocx
- %System%\richtx32.ocx
- %System%\zlib.dll
Creates the following registry subkeys:

HKEY_ALL_USERS\Software\SurveilleTech HKEY_ALL_USERS\Software\SurveilleTech\e-Surveiller HKEY_ALL_USERS\Software\SurveilleTech\e-Surveiller\1.x HKEY_CLASSES_ROOT\e-Surveiller.Logfile HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e-Surveiller HKEY_LOCAL_MACHINE\SOFTWARE\SurveilleTech HKEY_LOCAL_MACHINE\SOFTWARE\SurveilleTech\e-Surveiller HKEY_LOCAL_MACHINE\SOFTWARE\SurveilleTech\e-Surveiller\1.x
Adds the value:

"" = "e-Surveiller.Logfile"

to the registry subkey:

HKEY_CLASSES_ROOT\.zlg

so that the risk runs every time Windows starts.
Adds the value:

"e-Surveiller Station" = "%ProgramFiles%\e-Surveiller\estation.exe"

to the registry subkeys:

HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce

so that the risk runs every time Windows starts.
Adds the value:

"esicons" = "%ProgramFiles%\e-Surveiller\esicons.fon"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts

so that the risk runs every time Windows starts.
Adds the value:

"[CONFIGURABLE FILE NAME]" = "%System%\[CONFIGURABLE FILE NAME].exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.
Monitors and records the following activities on the compromised computer:
- Keystrokes
- Mouse clicks
- Instant message conversations
- Internet activity
- Applications used

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}