1. /
  2. Security Response/
  3. Spyware.RedPill

Spyware.RedPill

Updated:
January 30, 2008 4:42:14 PM
Type:
Spyware
Name:
Red Pill Spy
Version:
3.71
Publisher:
www.redpill.co.za
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following files:
  • C:\Documents and Settings\All Users\Application Data\RPSP\Data\[USER NAME]\[DATE]\[RANDOM NAME].rsc
  • C:\Documents and Settings\All Users\Application Data\RPSP\rpsp.log
  • C:\Documents and Settings\All Users\Desktop\Red Pill Spy Setup.lnk
  • %ProgramFiles%\RPSP\AdvSetup.exe
  • %ProgramFiles%\RPSP\Rpkbhk.DLL
  • %ProgramFiles%\RPSP\RPSP.chm
  • %ProgramFiles%\RPSP\RpspExport.exe
  • %ProgramFiles%\RPSP\RPSPStart.exe
  • %ProgramFiles%\RPSP\Rpsserv32.exe
  • %Windir%\Installer\[RANDOM NAME].msi


It may also create temporary files in the following location:
%Temp%

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B4F26C1-701A-441F-9DB3-700BD94454AF}

The program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RPSP" = "%Program Files%\RPSP\Rpsserv32.exe"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\%ProgramFiles%\RPSP\AdvSetup.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\%ProgramFiles%\RPSP\RPSPStart.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\%ProgramFiles%\RPSP\Rpkbhk.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\%ProgramFiles%\RPSP\RpspExport.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\%ProgramFiles%\RPSP\Rpsserv32.exe

The program uses stealth mode in order to hide it's activities on the computer.

It performs the following actions on the computer:
  • Capture screenshots
  • Records keystrokes
  • Logs a list of files and Web sites that has been visited
  • May record conversations using Audio Surveillance
  • Monitors multiple users on the computer


The program may send the gathered information to a remote attacker.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver