1. /
  2. Security Response/
  3. Spyware.SpyBossPro

Spyware.SpyBossPro

Updated:
May 30, 2008 12:12:21 PM
Type:
Spyware
Name:
SpyBoss Pro
Version:
4.2.0.0
Publisher:
GearBoxComputers.com
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following folders:
  • %ProgramFiles%\SBP Demo\projects\temp
  • %UserProfile%\Application Data\Microsoft\Installer


It then creates the following files:
  • %UserProfile%\Desktop\SpyBoss Pro Demo.lnk
  • %UserProfile%\Start Menu\Programs\Gear Box Computers Software\SpyBoss Pro Demo\Readme-Help.lnk
  • %UserProfile%\Start Menu\Programs\Gear Box Computers Software\SpyBoss Pro Demo\SpyBoss Pro Demo.lnk
  • %ProgramFiles%\SBP Demo\EventScheduler.mdb
  • %ProgramFiles%\SBP Demo\Help.rtf
  • %ProgramFiles%\SBP Demo\Localization.txt
  • %ProgramFiles%\SBP Demo\Localization.xml
  • %ProgramFiles%\SBP Demo\projects\[DATE] [TIME]\[DATE][TIME] SpyBoss Pro by Gear Box Computers.jpg
  • %ProgramFiles%\SBP Demo\projects\[DATE] [TIME]\[DATE][TIME].htm
  • %ProgramFiles%\SBP Demo\projects\[DATE] [TIME]\caplog[RANDOM NUMBERS].log
  • %ProgramFiles%\SBP Demo\projects\temp.txt
  • %ProgramFiles%\SBP Demo\riched32.dll
  • %ProgramFiles%\SBP Demo\RunAtStartupTool.exe
  • %ProgramFiles%\SBP Demo\SBPDemo.exe
  • %ProgramFiles%\SBP Demo\vbalflbr6.dll
  • %SystemRoot%\TEMP\SpyBossProDemo.msi
  • %Windìr%\Installer\[RANDOM NUMBERS].msi
  • %System%\actskn43.ocx
  • %System%\dijpg.dll
  • %System%\ijl11.dll
  • %System%\Memman.vxd
  • %System%\skinboxer43.dll


Next, it creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SpyBoss Pro
  • HKEY_LOCAL_MACHINE\SOFTWARE\Gear Box Computers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DA00B90-DFBC-4718-AD53-BD8570394D71}
  • HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\SkinBoxer43.SkinBoxer
  • HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\SkinBoxer43.SkinBoxer.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BE669B7-D464-438A-94A7-7FDA6C47BA47}
  • HKEY_ALL_USERS\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\CLSID\{1BE669B7-D464-438A-94A7-7FDA6C47BA47}
  • HKEY_ALL_USERS\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DA00B90-DFBC-4718-AD53-BD8570394D71}
  • HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\CLSID\{1BE669B7-D464-438A-94A7-7FDA6C47BA47}
  • HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\TypeLib\{61DDCB65-FFA8-42EE-9AB9-88EC8184120C}
  • HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\TypeLib\{E4A05A59-6B1E-48AB-94A1-5CD4AD88CF6D}


It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\SBP Demo\SBPDemo.exe"

It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4261098257-1054187914-2678744794-1000\Products\09B00AD4CBFD8174DA35DB580793D417\InstallProperties\"DisplayName" = "SBP Demo"
HKEY_ALL_USERS\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4261098257-1054187914-2678744794-1000\Products\09B00AD4CBFD8174DA35DB580793D417\InstallProperties\"DisplayName" = "SBP Demo"

The program may then perform the following activities on the computer:
  • Records all keystrokes
  • Logs all Web sites visited by the user
  • Takes screen shots at regular intervals
  • Encrypts and sends all of the saved logs to a predefined email address
  • Performs all of the above activities in stealth mode
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver