When the program is executed, it creates the following folder:
%UserProfile%\Local Settings\Temp\ImageLogTemp
It then drops the following files:
- %ProgramFiles%\XPCMonitor_206\HookPassword.dll
- %ProgramFiles%\XPCMonitor_206\ImageData.xpc
- %ProgramFiles%\XPCMonitor_206\KeyData.xpc
- %ProgramFiles%\XPCMonitor_206\libeay32.dll
- %ProgramFiles%\XPCMonitor_206\license_en.txt
- %ProgramFiles%\XPCMonitor_206\MediaLog.dll
- %ProgramFiles%\XPCMonitor_206\ProfileVerify.dll
- %ProgramFiles%\XPCMonitor_206\ssleay32.dll
- %ProgramFiles%\XPCMonitor_206\tips.txt
- %ProgramFiles%\XPCMonitor_206\TransForm.dll
- %ProgramFiles%\XPCMonitor_206\Uninstall.exe
- %ProgramFiles%\XPCMonitor_206\WebData.xpc
- %ProgramFiles%\XPCMonitor_206\welcome.txt
- %ProgramFiles%\XPCMonitor_206\XPCMonitor.exe
- %ProgramFiles%\XPCMonitor_206\XPCMonitorConfig.ini
- %ProgramFiles%\XPCMonitor_206\XPCMonitorHlp.chm
- %ProgramFiles%\XPCMonitor_206\XPCMonitorKeyCfg.ini
- %ProgramFiles%\XPCMonitor_206\XPCMonitorUsrCfg.ini
- %System%\HookText.dll
- %System%\WebHook.dll
Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"XPCMonitor" = "C:\Program Files\XPCMonitor_206\XPCMonitor.exe"
It also creates the following registry subkeys:
- HKEY_CURRENT_USER\Software\XPCMonitor
- HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
- HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
- HKEY_LOCAL_MACHINE\SOFTWARE\XPCMonitor_206
The program may then perform following actions on the computer:
- Record keystrokes
- Record visited Web sites
- Record chat sessions
- Record launched applications
- Take screen shots at regular intervals
- Run completely in stealth mode
The program may then send the created logs of information to a predefined email address.
It may also use FTP to send the gathered information to a remote location.
