Spyware.PCProwler

Printer Friendly Page

Updated: March 21, 2006 6:43:31 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows

Behavior

Spyware.PCProwler is a commercial Spyware application that records keystrokes, takes screenshots and monitors IM messages. It can store this information locally or mail it to a third party.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version March 21, 2006
  • Latest Daily Certified version July 22, 2011 revision 023
  • Initial Weekly Certified release date March 22, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: March 21, 2006 6:43:31 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows

Spyware.PCProwler is a commercial Spyware application that records keystrokes, takes screenshots and monitors IM messages. It can store this information locally or mail it to a third party.

Once executed, it creates the following files:
%UserProfile%\Start Menu\Programs\MSWSPXP\Launch.lnk
%UserProfile%\Start Menu\Programs\MSWSPXP\Uninstall.lnk
%ProgramFiles%\Logger\*.*
%ProgramFiles%\MSWSPXP\!Executables\Release\.driver
%ProgramFiles%\MSWSPXP\!Executables\Release\Authenticator.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\cdll.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\di_Blowfish.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\IEHelper.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\KeyboardHook.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Launcher.exe
%ProgramFiles%\MSWSPXP\!Executables\Release\OutlookAddin.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\PcProwler.cnt
%ProgramFiles%\MSWSPXP\!Executables\Release\PCPROWLER.HLP
%ProgramFiles%\MSWSPXP\!Executables\Release\qt-mt333.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Reporter.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\SelfLoger.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Settings.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\ShellHook.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\SpyKeyloggerApplication.exe
%ProgramFiles%\MSWSPXP\!Executables\Release\SpyKeyloggerService.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Stoper.exe
%ProgramFiles%\MSWSPXP\!Executables\Release\svchost.exe
%ProgramFiles%\MSWSPXP\!Registry\*.*
%ProgramFiles%\MSWSPXP\!Resources\*.png
%ProgramFiles%\MSWSPXP\unins000.dat
%ProgramFiles%\MSWSPXP\unins000.exe

The risk then creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}}
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Prowler_is1
HKEY_LOCAL_MACHINE\SOFTWARE\LogiGuard\PC Prowler

It then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"legalnoticeapplication = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"applicationgateway" = "C:\Program Files\MSWSPXP\!Executables\Release\svchost.exe"

It will also create the registry entries so that components of the Spyware can operate in Microsoft Outlook:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\"Support" = "4.0;C:\PROGRA~1\MSWSPXP\!EXECU~1 Release\OUTLOO~1.DLL;1;11111111111111;1111111"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\"Outlook Setup Extension" = "4.0;Outxxx.dll;7;00000000000000;0000000;OutXXX"

The risk can then be preconfigured to mail any log files to an email account chosen by the user.