1. Symantec/
  2. Security Response/
  3. Spyware.Apropos.C

Spyware.Apropos.C

Updated:
February 13, 2007 11:46:57 AM
Type:
Spyware
Risk Impact:
High

When Spyware.Apropos.C runs, it does the following:

  1. May create some of the following files:

    • %Temp%\install_ct.exe
    • %Windir%\ptJ5Z
    • %ProgramFiles%\[RANDOM NAME]\ace.dll
    • %ProgramFiles%\[RANDOM NAME]\WinGenerics.dll
    • %ProgramFiles%\[RANDOM NAME]\data.bin
    • %ProgramFiles%\[RANDOM NAME]\AI_[INSTALL DATE].log
    • %ProgramFiles%\[RANDOM NAME]\Cache
    • %ProgramFiles%\[RANDOM NAME]\[RANDOM NAME].exe
    • %ProgramFiles%\[RANDOM NAME]\[RANDOM NAME].exe
    • %System%\[RANDOM NAME].dll
    • %System%\[RANDOM NAME].exe
    • %System%\drivers\[RANDOM NAME].sys


      Notes:
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
      • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
      • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      • [RANDOM NAME] is a variable that is a randomly generated folder or file name of 8 alpanumeric symbols. Spyware.Apropos.C tries to generate its random names by mixing random letters with legitimate filenames gathered from installed applications, in order to look like a legitimate program
      • [INSTALL DATE] is variable that refers to the installadtion date of Spyware.Apropos.C on the system

  2. Add the values:

    "AutoUpdater" = "%System%\[RANDOM NAME].exe"
    "ClientName" = "%ProgramFiles%\[RANDOM NAME]\[RANDOM NAME].exe"
    "Device" = "\\.\[RANDOM NAME]"
    "DriverName" = "[RANDOM NAME]"
    "DriverPath" = "%System%\drivers\[RANDOM NAME].sys"
    "HDll" = "%System%\[RANDOM NAME].dll"
    "HideUninstallerName" = "%System%\[RANDOM NAME].exe"
    "InstallationId" = "[RANDOM CLSID]"
    "LegalNote" = "[
    http://]adchannell.contextplus.net/[REMOVED]/nonbranded.html"
    "PageFiltering" = 0x02
    "PartnerId" = "WB.CP"
    "ServerAddress" = "adchannel.contextplus.net"
    "Version" = "2.0.106"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME]

  3. Adds the value:

    "Auto" = [AUTOSTART LIST]
    "Debg" = [BINARY VALUE]
    "Device" = [BINARY VALUE]
    "ErrorControl" = "1"
    "File" = [BINARY VALUE]
    "ImagePath" = \\??\%System%\drivers\[RANDOM NAME].sys
    "Keys" = [BINARY VALUE]
    "Start" = "1"
    "Type" = "1
    "

    to the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]

    so that Spyware.Apropos.C runs every time Windows starts.

    Note: [AUTOSTART LIST] is a variable that refers to a list of executable files that Spyware.Apropos.C system driver will run when the compromised computer is restarted.

  4. Uses rootkit capabilities to avoid detection and hide its running processes. It hides the installed folder inside %ProgramFiles% and the system driver is dropped into %System%\drivers directory.

  5. Downloads and displays advertisements.

  6. Monitors network activity and periodically contacts a remote server for instructions. Depending on the reply, it can:
    • Download and execute a program
    • Reconfigure itself to contact a different remote server
    • Send information to the remote server


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube