When the program is executed, it drops the following files:
- %ProgramFiles%\Sys Detective+\file[(DATE)MMDDYYYY][(TIME)HHMMSS].jpg
- %ProgramFiles%\Sys Detective+\Makecab.exe
- %ProgramFiles%\Sys Detective+\Manual\acehelp.htm
- %ProgramFiles%\Sys Detective+\Manual\activating.htm
- %ProgramFiles%\Sys Detective+\Manual\advance.htm
- %ProgramFiles%\Sys Detective+\Manual\automatic_email.htm
- %ProgramFiles%\Sys Detective+\Manual\capture.htm
- %ProgramFiles%\Sys Detective+\Manual\contact_address.htm
- %ProgramFiles%\Sys Detective+\Manual\edit_menu.htm
- %ProgramFiles%\Sys Detective+\Manual\email_and_ftp_setting.htm
- %ProgramFiles%\Sys Detective+\Manual\export_to_avi_window.htm
- %ProgramFiles%\Sys Detective+\Manual\file_menu__save_as.htm
- %ProgramFiles%\Sys Detective+\Manual\fpace.gif
- %ProgramFiles%\Sys Detective+\Manual\help_menu.htm
- %ProgramFiles%\Sys Detective+\Manual\index.htm
- %ProgramFiles%\Sys Detective+\Manual\installing.htm
- %ProgramFiles%\Sys Detective+\Manual\key_logging.htm
- %ProgramFiles%\Sys Detective+\Manual\license_information.htm
- %ProgramFiles%\Sys Detective+\Manual\main_browse_window.htm
- %ProgramFiles%\Sys Detective+\Manual\menu.htm
- %ProgramFiles%\Sys Detective+\Manual\pcspysoftware_logo.jpg
- %ProgramFiles%\Sys Detective+\Manual\quick_start.htm
- %ProgramFiles%\Sys Detective+\Manual\security.htm
- %ProgramFiles%\Sys Detective+\Manual\slide_show.htm
- %ProgramFiles%\Sys Detective+\Manual\style.css
- %ProgramFiles%\Sys Detective+\Manual\tools_menu.htm
- %ProgramFiles%\Sys Detective+\Manual\view_menu.htm
- %ProgramFiles%\Sys Detective+\Manual\watch_list_window.htm
- %ProgramFiles%\Sys Detective+\Manual\web_site_monitoring.htm
- %ProgramFiles%\Sys Detective+\sysd.exe
- %ProgramFiles%\Sys Detective+\unins000.dat
- %ProgramFiles%\Sys Detective+\unins000.exe
- %ProgramFiles%\Sys Detective+\__acelog.ndx
- %System%\sd16win.dll
- %System%\noaccess.htm
- %System%\exclam.bmp
The program also drops the following clean files:
- %System%\ijl11.dll
- %System%\KTKbdHk.dll
- %System%\Msmapi32.ocx
Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"regsvc" = "C:\Program Files\Sys Detective+\sysd"
The program then creates the following registry subkeys:
HKEY_ALL_USERS\Software\VB and VBA Program Settings\sysd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sys Detective+_is1
It also creates the following clean registry subkeys:
HKEY_CLASSES_ROOT\Interface\{20C62CA2-15DA-101B-B9A8-444553540000}
HKEY_CLASSES_ROOT\Interface\{20C62CAD-15DA-101B-B9A8-444553540000}
HKEY_CLASSES_ROOT\Interface\{F49AC0B0-DF74-11CF-8E74-00A0C90F26F8}
HKEY_CLASSES_ROOT\Interface\{F49AC0B2-DF74-11CF-8E74-00A0C90F26F8}
HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages
HKEY_CLASSES_ROOT\MSMAPI.MAPISession
The program can then perform the following actions:
- Take screenshots
- Record keystrokes
- Monitor visited Web sites
- Send this information to remote users by email or FTP
- Close any applications or Web sites that contain certain keywords
- Send an email to remote users when certain keywords are entered on the keyboard
- Prevent access to certain Web sites
