1. /
  2. Security Response/
  3. Spyware.SpyMan

Spyware.SpyMan

Updated:
May 19, 2008 10:20:12 AM
Type:
Spyware
Name:
SpyMan
Version:
1.0.0.0
Publisher:
Kurt Inc.
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following folders:
  • %System%\fss\AM
  • %System%\fss\HM
  • %System%\fss\IC
  • %System%\fss\images
  • %System%\fss\MC
  • %System%\fss\MC\14-05-2007
  • %System%\fss\OE
  • %System%\fss\YC
  • %System%\fss\YM


It then creates the following files:
  • %UserProfile%\Desktop\how to use SpyMan.lnk
  • %UserProfile%\Local Settings\Temp\MSI484eb.LOG
  • %UserProfile%\Local Settings\Temp\MSI484ec.LOG
  • %UserProfile%\Local Settings\Temp\MSI86d1a.LOG
  • %UserProfile%\Local Settings\Temp\MSI86d1b.LOG
  • %System%\ExTransparent.dll
  • %System%\fss\bad.fss
  • %System%\fss\default.lan
  • %System%\fss\Filter.fss
  • %System%\fss\gud.fss
  • %System%\fss\how to use SpyMan.html
  • %System%\fss\images\blk111_10.gif
  • %System%\fss\images\blk111_11.gif
  • %System%\fss\images\blk111_12.gif
  • %System%\fss\images\blk111_3.gif
  • %System%\fss\images\blk111_4.gif
  • %System%\fss\images\blk111_5.gif
  • %System%\fss\images\blk111_7.gif
  • %System%\fss\images\blk111_8.gif
  • %System%\fss\images\blk111_9.gif
  • %System%\fss\images\in_01.jpg
  • %System%\fss\images\in_02.jpg
  • %System%\fss\images\in_03.jpg
  • %System%\fss\images\in_04.jpg
  • %System%\fss\images\in_05.jpg
  • %System%\fss\images\in_06.jpg
  • %System%\fss\images\reg.jpg
  • %System%\fss\images\scr-comp.gif
  • %System%\fss\images\scr-date.gif
  • %System%\fss\images\scr-emailweb.gif
  • %System%\fss\images\scr-main.gif
  • %System%\fss\images\scr-messenger.gif
  • %System%\fss\images\spacer.gif
  • %System%\fss\images\spybox.jpg
  • %System%\fss\images\Thumbs.db
  • %System%\fss\KS\14-05-2007.fss
  • %System%\fss\misc.fss
  • %System%\fss\PR\14-05-2007.fss
  • %System%\fss\spanish.lan
  • %System%\fss\SS\screenshots.html
  • %System%\fss\winspl.exe
  • %System%\fss\WV\14-05-2007.fss
  • %System%\fss.fss
  • %System%\HDSNLib.dll
  • %System%\ijl11.dll
  • %System%\issf.fss
  • %System%\msado27.tlb
  • %System%\MSMAPI32.OCX
  • %System%\rssf.fss
  • %System%\spmErr.txt
  • %System%\ssf.fss
  • %Windir%\spm.exe
  • %SystemRoot%\LogMan.txt
  • %System%\OSSMTP.dll
  • %System%\OSSMTP.ocx
  • %System%\shdocvw.dll001


It also drops several files with the following names:
  • %System%\fss\SS\[RANDOM NAME]_[DATE]_[TIME].jpg
  • %UserProfile%\Local Settings\Temp\[RANDOM NAME].tmp
  • %Windir%\Installer\[RANDOM NAME].mst


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Service" = "C:\WINDOWS\system32\fss\winspl.exe"

It also creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\ProgID\"" = "OSSMTP.Attachment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20C62CA0-15DA-101B-B9A8-444553540000}\VersionIndependentProgID\"" = "MSMAPI.MAPISession"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20C62CAB-15DA-101B-B9A8-444553540000}\ProgID\"" = "MSMAPI.MAPIMessages.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB1AE0D1-634E-11CF-8996-00AA00688B10}\"" = "MAPIMessages General Property Page Object"


The program then creates the following registry subkeys:
  • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\.Default
  • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\.Default
  • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\.Default
  • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\.Default
  • HKEY_CLASSES_ROOT\CLSID\{30BA1EC1-0059-4F91-9489-8D4E1189C688}
  • HKEY_CLASSES_ROOT\CLSID\{32AA3950-881F-4712-8B35-83BF6825921F}
  • HKEY_CLASSES_ROOT\CLSID\{5D4A5007-57B4-11D7-82A2-A4E31FDA2541}
  • HKEY_CLASSES_ROOT\CLSID\{A71C9F09-FD16-4EFD-A939-A7157371B850}
  • HKEY_CLASSES_ROOT\HDSNLib.HDSN
  • HKEY_CLASSES_ROOT\Interface\{06F979F8-6769-4E37-8F1E-682C5974AD65}
  • HKEY_CLASSES_ROOT\Interface\{473A13B0-A44B-4025-B665-2E1FB3AA707E}
  • HKEY_CLASSES_ROOT\Interface\{4ED7A4FC-6D07-4A22-AD0F-E00BC5168058}
  • HKEY_CLASSES_ROOT\Interface\{586E813A-46C0-4180-BC90-2092AD205300}
  • HKEY_CLASSES_ROOT\Interface\{5D4A5006-57B4-11D7-82A2-A4E31FDA2541}
  • HKEY_CLASSES_ROOT\Interface\{5DF827DD-575A-4E39-A674-7C5EE792EAE7}
  • HKEY_CLASSES_ROOT\Interface\{72911F41-3592-4FCE-98FB-4DFE319E2936}
  • HKEY_CLASSES_ROOT\Interface\{7BB6757C-0987-4873-B1EF-1908D79C57E8}
  • HKEY_CLASSES_ROOT\Interface\{A5F268FB-F09B-4B59-A0B0-B28952CECF99}
  • HKEY_CLASSES_ROOT\Interface\{A772B691-5338-4285-8E2B-B16E8076274F}
  • HKEY_CLASSES_ROOT\Interface\{AABC19AB-D4EB-4E63-B16D-9A46B935CA7D}
  • HKEY_CLASSES_ROOT\Interface\{D5D50503-7894-4282-8E9B-072C04AC15B8}
  • HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages.1
  • HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages
  • HKEY_CLASSES_ROOT\MSMAPI.MAPISession.1
  • HKEY_CLASSES_ROOT\MSMAPI.MAPISession
  • HKEY_CLASSES_ROOT\TypeLib\{5D4A5005-57B4-11D7-82A2-A4E31FDA2541}
  • HKEY_CLASSES_ROOT\TypeLib\{780134DB-223D-45F5-AB63-5406A0F66C2C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{16AC2941-62F8-4FDB-A2E7-510A3A6887E1}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20C62CA2-15DA-101B-B9A8-444553540000}


The program may then perform the following activities on the computer:
  • Record all keystrokes
  • Take screen shots based on a provided list of keywords
  • Monitor and log all applications that are started on the computer
  • Monitor chat sessions
  • Send all of the saved logs to a predefined email address
  • Perform all of the above activities in stealth mode
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver