When the program is executed, it creates the following folders:
- %ProgramFiles%\SBP Demo\projects\temp
- %UserProfile%\Application Data\Microsoft\Installer
It then creates the following files:
- %UserProfile%\Desktop\SpyBoss Pro Demo.lnk
- %UserProfile%\Start Menu\Programs\Gear Box Computers Software\SpyBoss Pro Demo\Readme-Help.lnk
- %UserProfile%\Start Menu\Programs\Gear Box Computers Software\SpyBoss Pro Demo\SpyBoss Pro Demo.lnk
- %ProgramFiles%\SBP Demo\EventScheduler.mdb
- %ProgramFiles%\SBP Demo\Help.rtf
- %ProgramFiles%\SBP Demo\Localization.txt
- %ProgramFiles%\SBP Demo\Localization.xml
- %ProgramFiles%\SBP Demo\projects\[DATE] [TIME]\[DATE][TIME] SpyBoss Pro by Gear Box Computers.jpg
- %ProgramFiles%\SBP Demo\projects\[DATE] [TIME]\[DATE][TIME].htm
- %ProgramFiles%\SBP Demo\projects\[DATE] [TIME]\caplog[RANDOM NUMBERS].log
- %ProgramFiles%\SBP Demo\projects\temp.txt
- %ProgramFiles%\SBP Demo\riched32.dll
- %ProgramFiles%\SBP Demo\RunAtStartupTool.exe
- %ProgramFiles%\SBP Demo\SBPDemo.exe
- %ProgramFiles%\SBP Demo\vbalflbr6.dll
- %SystemRoot%\TEMP\SpyBossProDemo.msi
- %Windìr%\Installer\[RANDOM NUMBERS].msi
- %System%\actskn43.ocx
- %System%\dijpg.dll
- %System%\ijl11.dll
- %System%\Memman.vxd
- %System%\skinboxer43.dll
Next, it creates the following registry subkeys:
- HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SpyBoss Pro
- HKEY_LOCAL_MACHINE\SOFTWARE\Gear Box Computers
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DA00B90-DFBC-4718-AD53-BD8570394D71}
- HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\SkinBoxer43.SkinBoxer
- HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\SkinBoxer43.SkinBoxer.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BE669B7-D464-438A-94A7-7FDA6C47BA47}
- HKEY_ALL_USERS\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Classes\CLSID\{1BE669B7-D464-438A-94A7-7FDA6C47BA47}
- HKEY_ALL_USERS\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DA00B90-DFBC-4718-AD53-BD8570394D71}
- HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\CLSID\{1BE669B7-D464-438A-94A7-7FDA6C47BA47}
- HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\TypeLib\{61DDCB65-FFA8-42EE-9AB9-88EC8184120C}
- HKEY_ALL_USERS\VirtualStore\MACHINE\SOFTWARE\Classes\TypeLib\{E4A05A59-6B1E-48AB-94A1-5CD4AD88CF6D}
It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\SBP Demo\SBPDemo.exe"
It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4261098257-1054187914-2678744794-1000\Products\09B00AD4CBFD8174DA35DB580793D417\InstallProperties\"DisplayName" = "SBP Demo"
HKEY_ALL_USERS\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4261098257-1054187914-2678744794-1000\Products\09B00AD4CBFD8174DA35DB580793D417\InstallProperties\"DisplayName" = "SBP Demo"
The program may then perform the following activities on the computer:
- Records all keystrokes
- Logs all Web sites visited by the user
- Takes screen shots at regular intervals
- Encrypts and sends all of the saved logs to a predefined email address
- Performs all of the above activities in stealth mode
