1. /
  2. Security Response/
  3. Spyware.ABSystemSpy

Spyware.ABSystemSpy

Updated:
April 26, 2006 2:01:41 PM
Type:
Spyware
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Spyware.ABSystemSpy is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.

When Spyware.ABSystemSpy is first installed, it creates the following files:
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\AB System Spy v5.1.1.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Install default settings.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\License.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Read user manual.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Uninstall AB System Spy v5.1.1 build 3.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Visit Our Website.lnk
%ProgramFiles%\SSystem v5.1.1 build 3\abss.chm
%ProgramFiles%\SSystem v5.1.1 build 3\abss.url
%ProgramFiles%\SSystem v5.1.1 build 3\Administrator\log.htm
%ProgramFiles%\SSystem v5.1.1 build 3\Administrator\[RANDOM].jpg
%ProgramFiles%\SSystem v5.1.1 build 3\defaults.reg
%ProgramFiles%\SSystem v5.1.1 build 3\license.txt
%ProgramFiles%\SSystem v5.1.1 build 3\system.exe
%ProgramFiles%\SSystem v5.1.1 build 3\unins000.dat
%ProgramFiles%\SSystem v5.1.1 build 3\unins000.exe
%ProgramFiles%\AB System Spy v5.1.1 build 3\abss.chm
%ProgramFiles%\AB System Spy v5.1.1 build 3\abss.url
%ProgramFiles%\AB System Spy v5.1.1 build 3\Administrator\log.htm
%ProgramFiles%\AB System Spy v5.1.1 build 3\Administrator\[RANDOM].jpg
%ProgramFiles%\AB System Spy v5.1.1 build 3\defaults.reg
%ProgramFiles%\AB System Spy v5.1.1 build 3\ijl15.dll
%ProgramFiles%\AB System Spy v5.1.1 build 3\license.txt
%ProgramFiles%\AB System Spy v5.1.1 build 3\mswinsck.ocx
%ProgramFiles%\AB System Spy v5.1.1 build 3\sys.exe
%ProgramFiles%\AB System Spy v5.1.1 build 3\unins000.dat
%ProgramFiles%\AB System Spy v5.1.1 build 3\unins000.exe


The risk creates the following files, which may be used by legitimate applications:
%ProgramFiles%\SSystem v5.1.1 build 3\mswinsck.ocx
%ProgramFiles%\SSystem v5.1.1 build 3\ijl15.dll

The risk also creates the following folders:
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3
%ProgramFiles%\AB System Spy v5.1.1 build 3
%ProgramFiles%\SSystem v5.1.1 build 3
%ProgramFiles%\SSystem v5.1.1 build 3\Administrator (This folder may contain numerous randomly named .jpg files which are the images of the screenshots gathered by the risk.)


The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AB System Spy v5.1.1 build 3_is1
HKEY_LOCAL_MACHINE\SOFTWARE\AB System Spy v5.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\SSystem
HKEY_ALL_USERS\Software\VB and VBA Program Settings\SSystem

The risk also creates numerous legitimate registry subkeys associated with the non-malicious components mentioned above that are installed by the risk.

Then the risk creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"abss" = "c:\program files\ssystem v5.1.1 build 3\system.exe"

The risk then monitors user activity on the compromised computer, logs keystrokes, and captures screenshots.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver