1. /
  2. Security Response/
  3. Spyware.SysDetective

Spyware.SysDetective

Updated:
July 24, 2007 12:01:52 PM
Type:
Spyware
Name:
Sys Detective+
Version:
2.3.5
Publisher:
Indian Shareware Pro
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the program is executed, it drops the following files:
  • %ProgramFiles%\Sys Detective+\file[(DATE)MMDDYYYY][(TIME)HHMMSS].jpg
  • %ProgramFiles%\Sys Detective+\Makecab.exe
  • %ProgramFiles%\Sys Detective+\Manual\acehelp.htm
  • %ProgramFiles%\Sys Detective+\Manual\activating.htm
  • %ProgramFiles%\Sys Detective+\Manual\advance.htm
  • %ProgramFiles%\Sys Detective+\Manual\automatic_email.htm
  • %ProgramFiles%\Sys Detective+\Manual\capture.htm
  • %ProgramFiles%\Sys Detective+\Manual\contact_address.htm
  • %ProgramFiles%\Sys Detective+\Manual\edit_menu.htm
  • %ProgramFiles%\Sys Detective+\Manual\email_and_ftp_setting.htm
  • %ProgramFiles%\Sys Detective+\Manual\export_to_avi_window.htm
  • %ProgramFiles%\Sys Detective+\Manual\file_menu__save_as.htm
  • %ProgramFiles%\Sys Detective+\Manual\fpace.gif
  • %ProgramFiles%\Sys Detective+\Manual\help_menu.htm
  • %ProgramFiles%\Sys Detective+\Manual\index.htm
  • %ProgramFiles%\Sys Detective+\Manual\installing.htm
  • %ProgramFiles%\Sys Detective+\Manual\key_logging.htm
  • %ProgramFiles%\Sys Detective+\Manual\license_information.htm
  • %ProgramFiles%\Sys Detective+\Manual\main_browse_window.htm
  • %ProgramFiles%\Sys Detective+\Manual\menu.htm
  • %ProgramFiles%\Sys Detective+\Manual\pcspysoftware_logo.jpg
  • %ProgramFiles%\Sys Detective+\Manual\quick_start.htm
  • %ProgramFiles%\Sys Detective+\Manual\security.htm
  • %ProgramFiles%\Sys Detective+\Manual\slide_show.htm
  • %ProgramFiles%\Sys Detective+\Manual\style.css
  • %ProgramFiles%\Sys Detective+\Manual\tools_menu.htm
  • %ProgramFiles%\Sys Detective+\Manual\view_menu.htm
  • %ProgramFiles%\Sys Detective+\Manual\watch_list_window.htm
  • %ProgramFiles%\Sys Detective+\Manual\web_site_monitoring.htm
  • %ProgramFiles%\Sys Detective+\sysd.exe
  • %ProgramFiles%\Sys Detective+\unins000.dat
  • %ProgramFiles%\Sys Detective+\unins000.exe
  • %ProgramFiles%\Sys Detective+\__acelog.ndx
  • %System%\sd16win.dll
  • %System%\noaccess.htm
  • %System%\exclam.bmp

The program also drops the following clean files:
  • %System%\ijl11.dll
  • %System%\KTKbdHk.dll
  • %System%\Msmapi32.ocx

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"regsvc" = "C:\Program Files\Sys Detective+\sysd"

The program then creates the following registry subkeys:
HKEY_ALL_USERS\Software\VB and VBA Program Settings\sysd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sys Detective+_is1

It also creates the following clean registry subkeys:
HKEY_CLASSES_ROOT\Interface\{20C62CA2-15DA-101B-B9A8-444553540000}
HKEY_CLASSES_ROOT\Interface\{20C62CAD-15DA-101B-B9A8-444553540000}
HKEY_CLASSES_ROOT\Interface\{F49AC0B0-DF74-11CF-8E74-00A0C90F26F8}
HKEY_CLASSES_ROOT\Interface\{F49AC0B2-DF74-11CF-8E74-00A0C90F26F8}
HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages
HKEY_CLASSES_ROOT\MSMAPI.MAPISession

The program can then perform the following actions:
  • Take screenshots
  • Record keystrokes
  • Monitor visited Web sites
  • Send this information to remote users by email or FTP
  • Close any applications or Web sites that contain certain keywords
  • Send an email to remote users when certain keywords are entered on the keyboard
  • Prevent access to certain Web sites
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver