1. /
  2. Security Response/
  3. Spyware.XPCMonitor

Spyware.XPCMonitor

Updated:
September 12, 2008 3:52:51 PM
Type:
Spyware
Name:
XPC Monitor Keylogger
Version:
2.0.0.1
Publisher:
iSoftwise
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following folder:
%UserProfile%\Local Settings\Temp\ImageLogTemp

It then drops the following files:
  • %ProgramFiles%\XPCMonitor_206\HookPassword.dll
  • %ProgramFiles%\XPCMonitor_206\ImageData.xpc
  • %ProgramFiles%\XPCMonitor_206\KeyData.xpc
  • %ProgramFiles%\XPCMonitor_206\libeay32.dll
  • %ProgramFiles%\XPCMonitor_206\license_en.txt
  • %ProgramFiles%\XPCMonitor_206\MediaLog.dll
  • %ProgramFiles%\XPCMonitor_206\ProfileVerify.dll
  • %ProgramFiles%\XPCMonitor_206\ssleay32.dll
  • %ProgramFiles%\XPCMonitor_206\tips.txt
  • %ProgramFiles%\XPCMonitor_206\TransForm.dll
  • %ProgramFiles%\XPCMonitor_206\Uninstall.exe
  • %ProgramFiles%\XPCMonitor_206\WebData.xpc
  • %ProgramFiles%\XPCMonitor_206\welcome.txt
  • %ProgramFiles%\XPCMonitor_206\XPCMonitor.exe
  • %ProgramFiles%\XPCMonitor_206\XPCMonitorConfig.ini
  • %ProgramFiles%\XPCMonitor_206\XPCMonitorHlp.chm
  • %ProgramFiles%\XPCMonitor_206\XPCMonitorKeyCfg.ini
  • %ProgramFiles%\XPCMonitor_206\XPCMonitorUsrCfg.ini
  • %System%\HookText.dll
  • %System%\WebHook.dll


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"XPCMonitor" = "C:\Program Files\XPCMonitor_206\XPCMonitor.exe"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\XPCMonitor
  • HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
  • HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
  • HKEY_LOCAL_MACHINE\SOFTWARE\XPCMonitor_206


The program may then perform following actions on the computer:
  • Record keystrokes
  • Record visited Web sites
  • Record chat sessions
  • Record launched applications
  • Take screen shots at regular intervals
  • Run completely in stealth mode


The program may then send the created logs of information to a predefined email address.

It may also use FTP to send the gathered information to a remote location.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver