1. Symantec/
  2. Security Response/
  3. Spyware.ABSystemSpy


April 26, 2006 2:01:41 PM
Risk Impact:
Systems Affected:
Spyware.ABSystemSpy is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.

When Spyware.ABSystemSpy is first installed, it creates the following files:
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\AB System Spy v5.1.1.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Install default settings.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\License.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Read user manual.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Uninstall AB System Spy v5.1.1 build 3.lnk
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3\Visit Our Website.lnk
%ProgramFiles%\SSystem v5.1.1 build 3\abss.chm
%ProgramFiles%\SSystem v5.1.1 build 3\abss.url
%ProgramFiles%\SSystem v5.1.1 build 3\Administrator\log.htm
%ProgramFiles%\SSystem v5.1.1 build 3\Administrator\[RANDOM].jpg
%ProgramFiles%\SSystem v5.1.1 build 3\defaults.reg
%ProgramFiles%\SSystem v5.1.1 build 3\license.txt
%ProgramFiles%\SSystem v5.1.1 build 3\system.exe
%ProgramFiles%\SSystem v5.1.1 build 3\unins000.dat
%ProgramFiles%\SSystem v5.1.1 build 3\unins000.exe
%ProgramFiles%\AB System Spy v5.1.1 build 3\abss.chm
%ProgramFiles%\AB System Spy v5.1.1 build 3\abss.url
%ProgramFiles%\AB System Spy v5.1.1 build 3\Administrator\log.htm
%ProgramFiles%\AB System Spy v5.1.1 build 3\Administrator\[RANDOM].jpg
%ProgramFiles%\AB System Spy v5.1.1 build 3\defaults.reg
%ProgramFiles%\AB System Spy v5.1.1 build 3\ijl15.dll
%ProgramFiles%\AB System Spy v5.1.1 build 3\license.txt
%ProgramFiles%\AB System Spy v5.1.1 build 3\mswinsck.ocx
%ProgramFiles%\AB System Spy v5.1.1 build 3\sys.exe
%ProgramFiles%\AB System Spy v5.1.1 build 3\unins000.dat
%ProgramFiles%\AB System Spy v5.1.1 build 3\unins000.exe

The risk creates the following files, which may be used by legitimate applications:
%ProgramFiles%\SSystem v5.1.1 build 3\mswinsck.ocx
%ProgramFiles%\SSystem v5.1.1 build 3\ijl15.dll

The risk also creates the following folders:
%UserProfile%\Start Menu\Programs\SSystem v5.1.1 build 3
%ProgramFiles%\AB System Spy v5.1.1 build 3
%ProgramFiles%\SSystem v5.1.1 build 3
%ProgramFiles%\SSystem v5.1.1 build 3\Administrator (This folder may contain numerous randomly named .jpg files which are the images of the screenshots gathered by the risk.)

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AB System Spy v5.1.1 build 3_is1
HKEY_ALL_USERS\Software\VB and VBA Program Settings\SSystem

The risk also creates numerous legitimate registry subkeys associated with the non-malicious components mentioned above that are installed by the risk.

Then the risk creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"abss" = "c:\program files\ssystem v5.1.1 build 3\system.exe"

The risk then monitors user activity on the compromised computer, logs keystrokes, and captures screenshots.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube