When the program is executed, it creates the following folders:
- %System%\fss\AM
- %System%\fss\HM
- %System%\fss\IC
- %System%\fss\images
- %System%\fss\MC
- %System%\fss\MC\14-05-2007
- %System%\fss\OE
- %System%\fss\YC
- %System%\fss\YM
It then creates the following files:
- %UserProfile%\Desktop\how to use SpyMan.lnk
- %UserProfile%\Local Settings\Temp\MSI484eb.LOG
- %UserProfile%\Local Settings\Temp\MSI484ec.LOG
- %UserProfile%\Local Settings\Temp\MSI86d1a.LOG
- %UserProfile%\Local Settings\Temp\MSI86d1b.LOG
- %System%\ExTransparent.dll
- %System%\fss\bad.fss
- %System%\fss\default.lan
- %System%\fss\Filter.fss
- %System%\fss\gud.fss
- %System%\fss\how to use SpyMan.html
- %System%\fss\images\blk111_10.gif
- %System%\fss\images\blk111_11.gif
- %System%\fss\images\blk111_12.gif
- %System%\fss\images\blk111_3.gif
- %System%\fss\images\blk111_4.gif
- %System%\fss\images\blk111_5.gif
- %System%\fss\images\blk111_7.gif
- %System%\fss\images\blk111_8.gif
- %System%\fss\images\blk111_9.gif
- %System%\fss\images\in_01.jpg
- %System%\fss\images\in_02.jpg
- %System%\fss\images\in_03.jpg
- %System%\fss\images\in_04.jpg
- %System%\fss\images\in_05.jpg
- %System%\fss\images\in_06.jpg
- %System%\fss\images\reg.jpg
- %System%\fss\images\scr-comp.gif
- %System%\fss\images\scr-date.gif
- %System%\fss\images\scr-emailweb.gif
- %System%\fss\images\scr-main.gif
- %System%\fss\images\scr-messenger.gif
- %System%\fss\images\spacer.gif
- %System%\fss\images\spybox.jpg
- %System%\fss\images\Thumbs.db
- %System%\fss\KS\14-05-2007.fss
- %System%\fss\misc.fss
- %System%\fss\PR\14-05-2007.fss
- %System%\fss\spanish.lan
- %System%\fss\SS\screenshots.html
- %System%\fss\winspl.exe
- %System%\fss\WV\14-05-2007.fss
- %System%\fss.fss
- %System%\HDSNLib.dll
- %System%\ijl11.dll
- %System%\issf.fss
- %System%\msado27.tlb
- %System%\MSMAPI32.OCX
- %System%\rssf.fss
- %System%\spmErr.txt
- %System%\ssf.fss
- %Windir%\spm.exe
- %SystemRoot%\LogMan.txt
- %System%\OSSMTP.dll
- %System%\OSSMTP.ocx
- %System%\shdocvw.dll001
It also drops several files with the following names:
- %System%\fss\SS\[RANDOM NAME]_[DATE]_[TIME].jpg
- %UserProfile%\Local Settings\Temp\[RANDOM NAME].tmp
- %Windir%\Installer\[RANDOM NAME].mst
Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Service" = "C:\WINDOWS\system32\fss\winspl.exe"
It also creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\ProgID\"" = "OSSMTP.Attachment"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20C62CA0-15DA-101B-B9A8-444553540000}\VersionIndependentProgID\"" = "MSMAPI.MAPISession"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20C62CAB-15DA-101B-B9A8-444553540000}\ProgID\"" = "MSMAPI.MAPIMessages.1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB1AE0D1-634E-11CF-8996-00AA00688B10}\"" = "MAPIMessages General Property Page Object"
The program then creates the following registry subkeys:
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\.Default
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\.Default
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\.Default
- HKEY_CURRENT_USER\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\.Default
- HKEY_CLASSES_ROOT\CLSID\{30BA1EC1-0059-4F91-9489-8D4E1189C688}
- HKEY_CLASSES_ROOT\CLSID\{32AA3950-881F-4712-8B35-83BF6825921F}
- HKEY_CLASSES_ROOT\CLSID\{5D4A5007-57B4-11D7-82A2-A4E31FDA2541}
- HKEY_CLASSES_ROOT\CLSID\{A71C9F09-FD16-4EFD-A939-A7157371B850}
- HKEY_CLASSES_ROOT\HDSNLib.HDSN
- HKEY_CLASSES_ROOT\Interface\{06F979F8-6769-4E37-8F1E-682C5974AD65}
- HKEY_CLASSES_ROOT\Interface\{473A13B0-A44B-4025-B665-2E1FB3AA707E}
- HKEY_CLASSES_ROOT\Interface\{4ED7A4FC-6D07-4A22-AD0F-E00BC5168058}
- HKEY_CLASSES_ROOT\Interface\{586E813A-46C0-4180-BC90-2092AD205300}
- HKEY_CLASSES_ROOT\Interface\{5D4A5006-57B4-11D7-82A2-A4E31FDA2541}
- HKEY_CLASSES_ROOT\Interface\{5DF827DD-575A-4E39-A674-7C5EE792EAE7}
- HKEY_CLASSES_ROOT\Interface\{72911F41-3592-4FCE-98FB-4DFE319E2936}
- HKEY_CLASSES_ROOT\Interface\{7BB6757C-0987-4873-B1EF-1908D79C57E8}
- HKEY_CLASSES_ROOT\Interface\{A5F268FB-F09B-4B59-A0B0-B28952CECF99}
- HKEY_CLASSES_ROOT\Interface\{A772B691-5338-4285-8E2B-B16E8076274F}
- HKEY_CLASSES_ROOT\Interface\{AABC19AB-D4EB-4E63-B16D-9A46B935CA7D}
- HKEY_CLASSES_ROOT\Interface\{D5D50503-7894-4282-8E9B-072C04AC15B8}
- HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages.1
- HKEY_CLASSES_ROOT\MSMAPI.MAPIMessages
- HKEY_CLASSES_ROOT\MSMAPI.MAPISession.1
- HKEY_CLASSES_ROOT\MSMAPI.MAPISession
- HKEY_CLASSES_ROOT\TypeLib\{5D4A5005-57B4-11D7-82A2-A4E31FDA2541}
- HKEY_CLASSES_ROOT\TypeLib\{780134DB-223D-45F5-AB63-5406A0F66C2C}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{16AC2941-62F8-4FDB-A2E7-510A3A6887E1}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20C62CA2-15DA-101B-B9A8-444553540000}
The program may then perform the following activities on the computer:
- Record all keystrokes
- Take screen shots based on a provided list of keywords
- Monitor and log all applications that are started on the computer
- Monitor chat sessions
- Send all of the saved logs to a predefined email address
- Perform all of the above activities in stealth mode
