1. Symantec/
  2. Security Response/
  3. Spyware.WinSupervisor


September 1, 2009 11:37:33 AM
Windows Supervisor
Zero Alpha
Risk Impact:
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the risk is executed, it creates the following files:
  • %UserProfile%\Local Settings\Temp\[RANDOM NAME].tmp
  • %UserProfile%\Local Settings\Temp\[RANDOM NAME].tmp
  • %UserProfile%\Start Menu\Programs\Windows Supervisor\Online - Support, Updates, Register.lnk
  • %UserProfile%\Start Menu\Programs\Windows Supervisor\Uninstall Windows Supervisor.lnk
  • %UserProfile%\Start Menu\Programs\Windows Supervisor\Windows Supervisor Help.lnk
  • %UserProfile%\Start Menu\Programs\Windows Supervisor\Windows Supervisor.lnk
  • %ProgramFiles%\Windows Supervisor\help.chm
  • %ProgramFiles%\Windows Supervisor\khk001.dll
  • %ProgramFiles%\Windows Supervisor\libeay32.dll
  • %ProgramFiles%\Windows Supervisor\license.txt
  • %ProgramFiles%\Windows Supervisor\online.url
  • %ProgramFiles%\Windows Supervisor\ReadMe.txt
  • %ProgramFiles%\Windows Supervisor\shlapi.dll
  • %ProgramFiles%\Windows Supervisor\ssleay32.dll
  • %ProgramFiles%\Windows Supervisor\unmsi.dll
  • %ProgramFiles%\Windows Supervisor\winspvr.exe
  • %ProgramFiles%\Windows Supervisor\xxm32.dll
  • %Windir%\Installer\[RANDOM CHARACTERS].msi

It also creates the following folder:
C:\Documents and Settings\All Users\Application Data\Windows Supervisor

The risk then creates the following registry entry, so that it starts when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Supervisor" = "C:\Program Files\Windows Supervisor\winspvr.exe"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Windows Supervisor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A7177905-E880-4A21-8C28-4B7E653C4537}

When a program is opened, the risk takes a screenshot of the desktop and then logs all keystrokes typed into the program.

The logged information can then be sent to a predetermined email address.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube