1. /
  2. Security Response/
  3. Spyware.StealthChatMon

Spyware.StealthChatMon

Updated:
July 23, 2007 3:22:12 PM
Type:
Spyware
Name:
Stealth Chat Monitor
Version:
1.5 (build 93)
Publisher:
Amplusnet
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the program is executed, it drops the following files:
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\AIMusers.usr
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\ICQusers.usr
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\MSNusers.usr
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\Skypeusers.usr
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\SysAllDaySysMessenger.xsl
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\Sysbk.bmp
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\SysMessenger.xsl
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\SystemChatErrors.txt
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\TestEmail.xml
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\Yahoousers.usr
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\SendEmail.exe
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\SystemChatHelp.chm
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\SystemMessenger.dll
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\SystemMessenger.exe
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\SystemMessengerUninstaller.exe
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\xcacls.exe


It also creates the following folders:
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\AIM
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\ICQ
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\MSN
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\Skype
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\Users
  • C:\Documents and Settings\All Users\Application Data\SystemMessenger\Logs\Yahoo


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SystemMessenger" = "C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\All Users\Application Data\SystemMessenger\SystemMessenger.dll" rdl"

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\SystemMessenger

The program monitors chat conversations in the following clients:
  • AIM
  • ICQ
  • MSN
  • Skype
  • Yahoo


It then sends the harvested information to a remote user.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver