1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP PCParent Activity

HTTP PCParent Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Spyware.PCParent communicating and requesting information from its controlling server.

Additional Information

Spyware.PCParent records screen shots on a computer at a set time interval.

When Spyware.PCParent is installed and run, it does the following:

1. Adds the value:

"WinLogin"="C:\WINNT\winlogin.exe"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the spyware runs each time that Windows is started.


Creates the files:

* %Windir%\winlogin.exe
* %Windir%\pcp_help.html
* %Windir%\pcp.cfg

Note: %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run the scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube