When the program is executed, it creates the following files:
- C:\Documents and Settings\All Users\Application Data\RPSP\Data\[USER NAME]\[DATE]\[RANDOM NAME].rsc
- C:\Documents and Settings\All Users\Application Data\RPSP\rpsp.log
- C:\Documents and Settings\All Users\Desktop\Red Pill Spy Setup.lnk
- %Windir%\Installer\[RANDOM NAME].msi
It may also create temporary files in the following location:
It also creates the following registry subkey:
The program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RPSP" = "%Program Files%\RPSP\Rpsserv32.exe"
It also creates the following registry subkeys:
The program uses stealth mode in order to hide it's activities on the computer.
It performs the following actions on the computer:
- Capture screenshots
- Records keystrokes
- Logs a list of files and Web sites that has been visited
- May record conversations using Audio Surveillance
- Monitors multiple users on the computer
The program may send the gathered information to a remote attacker.