1. Symantec/
  2. Security Response/
  3. Spyware.SecondSight

Spyware.SecondSight

Updated:
February 13, 2007 11:48:26 AM
Type:
Spyware
Risk Impact:
Medium
File Names:
%SystemDrive%\System VolumeID\RP15\LibCache\MsiInterface.exe %SystemDrive%\System VolumeID\RP15\L
Systems Affected:
Windows

When Spyware.SecondSight is executed, it performs the following actions:
  1. Creates the following files:

    • %SystemDrive%\System VolumeID\RP15\LibCache\MsiInterface.exe
    • %SystemDrive%\System VolumeID\RP15\LibCache\msunin.exe
    • %SystemDrive%\System VolumeID\RP15\LibCache\scvhost.exe
    • %SystemDrive%\System VolumeID\RP15\LibCache\svcView.exe
    • %SystemDrive%\System VolumeID\RP46\APIgdi32.dll
    • %SystemDrive%\System VolumeID\RP46\bnr16.dll
    • %SystemDrive%\System VolumeID\RP46\bnr32.dll
    • %SystemDrive%\System VolumeID\RP46\sysadmin1.dll
    • %SystemDrive%\System VolumeID\RP46\sysadmin2.dll
    • %SystemDrive%\System VolumeID\RP46\sysadmin3.dll
    • %SystemDrive%\System VolumeID\RP46\sysnav04.dll
    • %SystemDrive%\System VolumeID\RP46\sysnav3a.dll
    • %SystemDrive%\System VolumeID\RP46\sysnav3b.dll
    • %SystemDrive%\System VolumeID\RP46\wcp32.dll
    • %System%\complus32\KSDPANEL.ocx
    • %System%\complus32\KBDMONITOR.OCX
    • %System%\mmemdrv.exe
    • %System%\KTKbdHk3.DLL

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KSDPanel.Panel
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KbdMonitor.KeyMon
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C4D77E92-252D-11D4-B358-C9A9F1AA7152}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C4D77E93-252D-11D4-B358-C9A9F1AA7152}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4D77E94-252D-11D4-B358-C9A9F1AA7152}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B60B1875-E5CA-11D2-BC3D-78A407C10000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B60B1871-E5CA-11D2-BC3D-78A407C10000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B60B1874-E5CA-11D2-BC3D-78A407C10000}


  3. Adds the value:

    "mmemdrv" = "%system%\mmemdrv.exe /n"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  4. Creates the following files, which may also be used by legitimate programs:

    • %Windir%\LastGood\system32\ASYCFILT.DLL
    • %Windir%\LastGood\system32\COMCAT.DLL
    • %Windir%\LastGood\system32\MSVBVM60.DLL
    • %Windir%\LastGood\system32\OLEAUT32.DLL
    • %Windir%\LastGood\system32\OLEPRO32.DLL
    • %Windir%\LastGood\system32\STDOLE2.TLB
    • %UserProfile%\Local Settings\Temp\vbrun60sp5.exe
    • %System%\complus32\TABCTL32.OCX
    • %System%\complus32\smtp.ocx
    • %System%\complus32\vsflex7l.ocx
    • %System%\complus32\XceedZip.dll
    • %System%\complus32\XIMGEDIT30.OCX
    • %System%\complus32\DGuard2.ocx
    • %System%\complus32\Psrl32.ocx
    • %System%\complus32\xpcheck.ocx
    • %System%\complus32\iQCustomButton.ocx
    • %System%\complus32\Trlpro.ocx
    • %System%\msstkrp.dll
    • %System%\mswinsck.ocx
    • %System%\msstkprp.dll
    • %System%\mswinsck.ocx
    • %System%\ptrue.dll
    • %System%\ptrue2.DLL
    • %System%\base64.dll
    • %System%\ccrpprg6.ocx

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  5. Creates the following registry subkeys, which may also be used by legitimate programs:

    HKEY_ALL_USERS\Software\Microsoft\Visual Basic
    HKEY_ALL_USERS\Software\Microsoft\Visual Basic\6.0
    HKEY_CLASSES_ROOT\Base64Lib.Base64
    HKEY_CLASSES_ROOT\CCRProgressBar6.ccrpProgressBar
    HKEY_CLASSES_ROOT\CLSID\{07A76179-15AB-4F36-9D70-1EFB129234DA}
    HKEY_CLASSES_ROOT\CLSID\{1B81073E-AE6B-48BC-A15C-E8E2FC184AA2}
    HKEY_CLASSES_ROOT\CLSID\{28656ABB-8E12-11D2-950F-000000000000}
    HKEY_CLASSES_ROOT\CLSID\{33257AA1-5F0F-4808-BA9E-B49DC9E5B161}
    HKEY_CLASSES_ROOT\CLSID\{36588E10-5139-4E47-86C6-FEE5DBD92668}
    HKEY_CLASSES_ROOT\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}
    HKEY_CLASSES_ROOT\CLSID\{572110FB-7FC4-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\CLSID\{5EC2EB59-7487-4EA8-A6AA-9E08175A380B}
    HKEY_CLASSES_ROOT\CLSID\{681A54C9-1AA8-4F02-A80B-28016562A546}
    HKEY_CLASSES_ROOT\CLSID\{7435B1E5-1132-11D4-881C-FE73F1277977}
    HKEY_CLASSES_ROOT\CLSID\{8622CF73-1059-4F1E-BE61-2774421FEAF6}
    HKEY_CLASSES_ROOT\CLSID\{89E24949-B9C2-11D5-B580-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\CLSID\{A43F5A99-286A-4239-9E14-6A102DB795F6}
    HKEY_CLASSES_ROOT\CLSID\{C0A63B86-4B21-11d3-BD95-D426EF2C7949}
    HKEY_CLASSES_ROOT\CLSID\{C4D4C4D0-AFFA-4538-9919-DF8EE039B416}
    HKEY_CLASSES_ROOT\CLSID\{C8530F8C-C19C-11D2-99D6-9419F37DBB29}
    HKEY_CLASSES_ROOT\CLSID\{C9AC6C7F-FF07-40D9-A782-99B06991E0DC}
    HKEY_CLASSES_ROOT\CLSID\{CF36A6BA-647A-4A06-A975-9151EC633859}
    HKEY_CLASSES_ROOT\CLSID\{CF424AF9-6EBC-4EF6-8B51-BB39452043DC}
    HKEY_CLASSES_ROOT\CLSID\{D33B7CB4-A28C-4827-BF8A-B1ABC3D4DD30}
    HKEY_CLASSES_ROOT\CLSID\{D3CD7E76-F46E-4D4D-8A37-6E1D9B915CD9}
    HKEY_CLASSES_ROOT\CLSID\{D3DC0749-CA2E-4D23-A008-382712834D82}
    HKEY_CLASSES_ROOT\CLSID\{D4E1AA10-9077-42BB-8627-A483E760A02D}
    HKEY_CLASSES_ROOT\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}
    HKEY_CLASSES_ROOT\CLSID\{EB01AF3F-2923-40EB-9C4A-B04F78F23A52}
    HKEY_CLASSES_ROOT\CLSID\{F232B935-B123-48CB-B41E-554211E9DB61}
    HKEY_CLASSES_ROOT\CLSID\{F2575F18-1689-49DD-BC3A-32EC11EB6AA3}
    HKEY_CLASSES_ROOT\CLSID\{3637182B-FC80-48E6-A990-3E9AD725F831}
    HKEY_CLASSES_ROOT\CLSID\{572110FF-7FC4-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\CLSID\{57211101-7FC4-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\CLSID\{90920EDB-F231-4F96-8258-D3C43DCA2405}
    HKEY_CLASSES_ROOT\CLSID\{B1AA30DD-9038-406A-91C2-6388C2A9F342}
    HKEY_CLASSES_ROOT\DataGuardEncrytion.DataGuard
    HKEY_CLASSES_ROOT\Interface\{05D56700-EB90-11D2-A5CD-00105A9C91C6}
    HKEY_CLASSES_ROOT\Interface\{07189400-00F2-11D5-802D-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{1728CF04-8FF4-410E-93DC-068E01AE1947}
    HKEY_CLASSES_ROOT\Interface\{17A3B6BA-2C73-4F1E-84EB-0BC4B4FEB3DD}
    HKEY_CLASSES_ROOT\Interface\{184FBD23-74B7-4C0E-9544-676E9B897DAA}
    HKEY_CLASSES_ROOT\Interface\{1B11F4B0-6B89-4E43-9421-0F94E24DDBA0}
    HKEY_CLASSES_ROOT\Interface\{1E6C8619-9CB4-4CFF-924F-987F997F46D5}
    HKEY_CLASSES_ROOT\Interface\{20C3D965-325F-497A-9B3B-62AF19F0ADED}
    HKEY_CLASSES_ROOT\Interface\{20F87CC3-6D53-4390-BDA8-03D547035FAC}
    HKEY_CLASSES_ROOT\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}
    HKEY_CLASSES_ROOT\Interface\{2515F6EB-4140-4134-A9ED-D82A90B8CD9B}
    HKEY_CLASSES_ROOT\Interface\{5DCDA05-7213-4EE6-809E-710EB90B00212}
    HKEY_CLASSES_ROOT\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
    HKEY_CLASSES_ROOT\Interface\{2DC0D9E8-305E-4EC9-BEC7-FBC0420BE7C1}
    HKEY_CLASSES_ROOT\Interface\{2E643D36-F83B-4654-9C7E-2FD3EB5FCC67}
    HKEY_CLASSES_ROOT\Interface\{31C2DDD0-B692-11D4-BFE3-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{380DB28C-1237-4409-B830-21BD402797B5}
    HKEY_CLASSES_ROOT\Interface\{38441974-2136-440C-92FE-97F443B304BB}
    HKEY_CLASSES_ROOT\Interface\{45ABA462-E16B-41AC-B205-F1447955B589}
    HKEY_CLASSES_ROOT\Interface\{4743DBCF-904C-4118-A506-5BAE4972144B}
    HKEY_CLASSES_ROOT\Interface\{4C836511-BB70-11D2-A5A7-00105A9C91C6}
    HKEY_CLASSES_ROOT\Interface\{4CD90CEA-3905-4368-B705-5E43550AE9EB}
    HKEY_CLASSES_ROOT\Interface\{52A1DC9C-2B44-4579-9210-1AED9EFB068C}
    HKEY_CLASSES_ROOT\Interface\{572110FA-7FC4-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\Interface\{5CA23300-8F2B-4BEE-B822-C8D1B1FFB4A1}
    HKEY_CLASSES_ROOT\Interface\{63E19CD2-72FE-4883-8871-B19EF69DF932}
    HKEY_CLASSES_ROOT\Interface\{6EFEAAF1-1384-4C1C-8FE2-9D05DE2045CB}
    HKEY_CLASSES_ROOT\Interface\{72DB3CE9-185B-48DA-94F6-BD64BA74C03B}
    HKEY_CLASSES_ROOT\Interface\{7435B1E1-1132-11D4-881C-FE73F1277977}
    HKEY_CLASSES_ROOT\Interface\{77243A10-00F3-11D5-802D-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{7D7AC385-5BA2-4569-B585-9DB05747EF6A}
    HKEY_CLASSES_ROOT\Interface\{81D9683D-A374-4FD7-B08E-CED8C2E75CD1}
    HKEY_CLASSES_ROOT\Interface\{82F2E224-92E8-11D3-9A1D-F2A67FD05A28}
    HKEY_CLASSES_ROOT\Interface\{89E24948-B9C2-11D5-B580-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\Interface\{8E203240-537D-11D3-BD8C-000000000000}
    HKEY_CLASSES_ROOT\Interface\{9373CFE7-C530-413A-8A35-778B412C4979}
    HKEY_CLASSES_ROOT\Interface\{9680EFF8-8465-4283-A4C3-5114DB5C0C29}
    HKEY_CLASSES_ROOT\Interface\{99C11080-CD22-11D4-BFFA-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{A02CA67E-8EBF-488D-A5D9-B8AACEC5CBE0}
    HKEY_CLASSES_ROOT\Interface\{A0CECD40-EB84-11D2-A5CD-00105A9C91C6}
    HKEY_CLASSES_ROOT\Interface\{A323465B-82BB-4F0D-A49E-F8301DBD6633}
    HKEY_CLASSES_ROOT\Interface\{A831624E-7282-467C-BBD7-0A70A23DDD0D}
    HKEY_CLASSES_ROOT\Interface\{AAC4831F-8C1F-434E-9F80-7F1B5B0036E0}
    HKEY_CLASSES_ROOT\Interface\{AB350AB0-B8D2-48F0-9922-1BD237B08FC5}
    HKEY_CLASSES_ROOT\Interface\{B17640CA-B591-11D5-B580-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\Interface\{B60B1870-E5CA-11D2-BC3D-78A407C10000}
    HKEY_CLASSES_ROOT\Interface\{BAA1401E-3F5F-47A4-870B-431D602D2488}
    HKEY_CLASSES_ROOT\Interface\{BC7A3AD9-34F8-4AA9-8ABC-B3D7F1D133F1}
    HKEY_CLASSES_ROOT\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}
    HKEY_CLASSES_ROOT\Interface\{BE8E5588-8ED4-4C02-9BCA-3E35BA5D0DB6}
    HKEY_CLASSES_ROOT\Interface\{C0A63B81-4B21-11D3-BD95-D426EF2C7949}
    HKEY_CLASSES_ROOT\Interface\{C8530F8B-C19C-11D2-99D6-9419F37DBB29}
    HKEY_CLASSES_ROOT\Interface\{C8530F94-C19C-11D2-99D6-9419F37DBB29}
    HKEY_CLASSES_ROOT\Interface\{CBD568D2-5097-407B-9EAD-3B986D920440}
    HKEY_CLASSES_ROOT\Interface\{CC6FD600-EE1D-11D4-801A-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{D5B21F3B-58DA-4A91-9277-F6B9D43A02C8}
    HKEY_CLASSES_ROOT\Interface\{DB79768F-40E0-11D2-9BD5-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{DD5E5A03-8C4E-43EA-A5E5-B859C66A7DD6}
    HKEY_CLASSES_ROOT\Interface\{DF626673-E52F-411D-A841-5EE6741267A7}
    HKEY_CLASSES_ROOT\Interface\{E1CE61DA-BC0C-4B9C-9AF0-2B6BD972B96B}
    HKEY_CLASSES_ROOT\Interface\{E6F2F7A9-B593-11D5-B580-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\Interface\{E77FB079-B961-4190-8B2B-F51E030BC1BD}
    HKEY_CLASSES_ROOT\Interface\{FE0D163E-5803-4E97-9DC2-2885BAABB455}
    HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\Interface\{31C2DDD1-B692-11D4-BFE3-0060082AE372}
    HKEY_CLASSES_ROOT\Interface\{3A8BB631-588F-4994-B5CE-5AA6BD0FAFE3}
    HKEY_CLASSES_ROOT\Interface\{572110FE-7FC4-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\Interface\{25DCDA05-7213-4EE6-809E-710EB90B0021}
    HKEY_CLASSES_ROOT\KSDPanel.Panel
    HKEY_CLASSES_ROOT\KbdMonitor.KeyMon
    HKEY_CLASSES_ROOT\PSrl32.PictureScroll
    HKEY_CLASSES_ROOT\PTRUE2.PhotoObject
    HKEY_CLASSES_ROOT\SMTPOCX.Connection
    HKEY_CLASSES_ROOT\SMTPOCX.Connections
    HKEY_CLASSES_ROOT\SMTPOCX.PhoneEntries
    HKEY_CLASSES_ROOT\SMTPOCX.PhoneEntry
    HKEY_CLASSES_ROOT\SMTPOCX.RASEngine
    HKEY_CLASSES_ROOT\SMTPOCX.RASError
    HKEY_CLASSES_ROOT\SMTPOCX.clsEnums
    HKEY_CLASSES_ROOT\SMTPOCX.vbSMTPOCX
    HKEY_CLASSES_ROOT\TrialProActiveX.SystemDetect
    HKEY_CLASSES_ROOT\TrialProActiveX.TrialPro
    HKEY_CLASSES_ROOT\TrialProActiveX.iQiniClass
    HKEY_CLASSES_ROOT\VSFlexGrid.VSFlexGrid.1
    HKEY_CLASSES_ROOT\VSFlexGrid.VSFlexGrid
    HKEY_CLASSES_ROOT\VSFlexGrid.VSFlexGridL
    HKEY_CLASSES_ROOT\VSFlexGrid.VSFlexGridL.1
    HKEY_CLASSES_ROOT\XImgEdit20.XImgEdit
    HKEY_CLASSES_ROOT\XPCheck.Check
    HKEY_CLASSES_ROOT\XceedSoftware.XceedCompression.5
    HKEY_CLASSES_ROOT\XceedSoftware.XceedCompression
    HKEY_CLASSES_ROOT\XceedSoftware.XceedZip.5
    HKEY_CLASSES_ROOT\XceedSoftware.XceedZip
    HKEY_CLASSES_ROOT\iQCustomButton.iQCommand
    HKEY_CLASSES_ROOT\TabDlg.SSTab.1
    HKEY_CLASSES_ROOT\TabDlg.SSTab
    HKEY_CLASSES_ROOT\MSWinsock.Winsock
    HKEY_CLASSES_ROOT\MSWinsock.Winsock.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrgm
    HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
    HKEY_CLASSES_ROOT\TypeLib\{28656AB9-8E12-11D2-950F-000000000000}
    HKEY_CLASSES_ROOT\TypeLib\{572110ED-7FC4-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\TypeLib\{65843385-8304-4ABB-8A59-C20DB8BDD50A}
    HKEY_CLASSES_ROOT\TypeLib\{666634B4-9680-4FA6-B1E0-9F7F90AC3699}
    HKEY_CLASSES_ROOT\TypeLib\{66F29D45-2962-43E8-AFAA-D9A0FCF8AEB4}
    HKEY_CLASSES_ROOT\TypeLib\{7435B1E0-1132-11D4-881C-FE73F1277977}
    HKEY_CLASSES_ROOT\TypeLib\{7D168973-F774-4093-934A-49A747D98659}
    HKEY_CLASSES_ROOT\TypeLib\{B78D1D17-8176-11D5-B57F-0050BAE7FEC4}
    HKEY_CLASSES_ROOT\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}
    HKEY_CLASSES_ROOT\TypeLib\{C0A63B80-4B21-11D3-BD95-D426EF2C7949}
    HKEY_CLASSES_ROOT\TypeLib\{C8530F8A-C19C-11D2-99D6-9419F37DBB29}
    HKEY_CLASSES_ROOT\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}
    HKEY_CLASSES_ROOT\TypeLib\{F8EA4540-9A74-475A-82C9-A79E454FCB78}
    HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}
    HKEY_CLASSES_ROOT\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}


  6. Logs keystrokes, captures sceen shots, and sends the logged information to a remote attacker via email.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube