Spyware.YKPMD

Printer Friendly Page

Updated: February 07, 2006 12:03:05 PM
Risk Impact: Low
Systems Affected: Windows

Behavior

Spyware.YKPMD is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.

Antivirus Protection Dates

  • Initial Rapid Release version February 03, 2006
  • Initial Daily Certified version February 03, 2006
  • Latest Daily Certified version February 03, 2006
  • Initial Weekly Certified release date February 08, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Unknown

Updated: February 07, 2006 12:03:05 PM
Risk Impact: Low
Systems Affected: Windows

Spyware.YKPMD is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.

Once Spyware.YKPMD is installed, it creates the following files:
%UserProfile%\Start Menu\Programs\RebrandSoftware [YOURCOMPANY HERE]\Professional Computer Monitor Demo [YOURPROGRAMNAME HERE]\Computer Monitor Demo [YOURPROGRAMNAME HERE].lnk
%UserProfile%\Start Menu\Programs\RebrandSoftware [YOURCOMPANY HERE]\Professional Computer Monitor Demo [YOURPROGRAMNAME HERE]\Readme-Help.lnk
%ProgramFiles%\YKPMD\EventScheduler.mdb
%ProgramFiles%\YKPMD\Help.rtf
%ProgramFiles%\YKPMD\riched32.dll
%ProgramFiles%\YKPMD\YKPND.exe
%Windir%\Installer\[RANDOM].msi
%System%\actskn43.ocx - This is a non-malicious component that may be used by other applications.
%System%\dijpg.dll - This is a non-malicious component that may be used by other applications.
%System%\richtx32.ocx - This is a non-malicious component that may be used by other applications.
%System%\skinboxer43.dll - This is a non-malicious component that may be used by other applications.
%System%\comdlg32.ocx - This is a non-malicious component that may be used by other applications.
%System%\mscomct2.ocx - This is a non-malicious component that may be used by other applications.
%System%\mscomctl.ocx - This is a non-malicious component that may be used by other applications.
%System%\mswinsck.ocx - This is a non-malicious component that may be used by other applications.

The risk also creates the following folders:
%UserProfile%\Application Data\Microsoft\Installer\{F72438D4-65D4-493B-9930-6EF66903FC09} - The threat creates numerous files, with the file name [RANDOM].exe, in this folder.
%ProgramFiles%\YKPMD\projects - This folder may contain more randomly named folders which contain the data that is gathered by the threat.
%ProgramFiles%\YKPMD\temp

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\%CURRENT_USER%\Products\4D83427F4D56B3949903E66F9630CF90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{{F72438D4-65D4-493B-9930-6EF66903FC09}HKEY_LOCAL_MACHINE\SOFTWARE\YourCompany\YourKeyloggerProgramName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Modules\[RANDOM]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\4ED0D9931529FFB489CC623797038D4A
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\4D83427F4D56B3949903E66F9630CF90
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\4D83427F4D56B3949903E66F9630CF90
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\4ED0D9931529FFB489CC623797038D4A

The risk also creates numerous legitimate registry subkeys associated with the non-malicious components mentioned above that are installed by the risk.

Next, the risk creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\YKPMD\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\%CURRENT_USER%\Start Menu\Programs\RebrandSoftware [YOURCOMPANY HERE]\Professional Computer Monitor Demo [YOURPROGRAMNAME HERE]\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\%CURRENT_USER%\Application Data\Microsoft\Installer\{F72438D4-65D4-493B-9930-6EF66903FC09}\ """ = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\YKPMD\YKPND"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\YKPMD\YKPND"

The risk then monitors user activity on the compromised computer, logs keystrokes, and captures screenshots.

Writeup By: Unknown