Saturday, March 20, 2010

007 spy software

Type: spyware

Alias: e spy 007 spy software

Company: Spy Software

Description: 007Spy Software is a commercial spyware program. It logs keystrokes, Web sites visited, programs used, and files and folder activity. It also has a screen capture logger and can be run automatically in a silent, undetectable mode. This spyware can use FTP or email to send all the logs to a remote server or email address. When the program is in Silent Mode, it cannot be accessed until it is brought out of Silent Mode. This can be done with a hot-key combination (the default combination is Ctrl+Alt+7).

Malware Threat

007 spy software

Directories

C:\Program Files\ssmon
C:\Program Files\Sysmnt
C:\Documents and Settings\user-account-name\Start Menu\Programs\007 Spy Software
C:\Documents and Settings\All Users\Local Settings\Ssdata
C:\Documents and Settings\All Users\Local Settings\Sysdata
C:\Documents and Settings\user-account-name\Application Data\Ssdata
C:\Documents and Settings\All Users\Start Menu\Programs\007 Spy Software
C:\Documents and Settings\user-account-name\Application Data\Sysdata
C:\Program Files\Common Files\Microsoft Shared\DAO\System32
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\ssdata
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\ssdata\scrdata

Files

C:\Windows\System32\ijl11pro.DLL
C:\Windows\sslogo.bmp
C:\Windows\XPbutton.ocx
C:\Windows\System32\ssmon.lnk
C:\Windows\System32\Sysmnt.dat
C:\Windows\System32\keybhook.dll
C:\Windows\System32\keybhookpro.dll
C:\Program Files\Sysmnt\Help.chm
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\Sysmnt\License.txt
C:\Program Files\Sysmnt\Uninst00.dat
C:\Program Files\Sysmnt\Unins000.exe
svchost.exe (md5:f755949ba45439a424de8e...)
svchost.exe (md5:5e9c99f51f29421db33590...)
C:\Documents and Settings\user-account-name\Start Menu\Programs\007 Spy Software\Online FAQ.lnk
C:\Documents and Settings\user-account-name\Start Menu\Programs\007 Spy Software\User Manual.lnk
007install.exe (md5:b16b770bfb0ae62bb993f9...)
007spy-5star.exe (md5:03ccbfe99a0e43ad4456f5...)
C:\Documents and Settings\user-account-name\Start Menu\Programs\007 Spy Software\007 Spy Software.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\007 Spy Software\Online FAQ.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\007 Spy Software\User Manual.lnk
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\Documents and Settings\user-account-name\Start Menu\Programs\007 Spy Software\e Spy Software Online.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\007 Spy Software\007 Spy Software.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\007 Spy Software\e Spy Software Online.lnk
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\faq.url
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\help.chm
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\license.txt
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\website.url
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\unins000.dat
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\unins000.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\ssdata\Files.dat
C:\Program Files\Common Files\Microsoft Shared\DAO\System32\ssdata\lgstat.ini

Registry Keys

HKEY_CLASSES_ROOT\\JasonButton.XPButton
HKEY_LOCAL_MACHINE\Software\Classes\JasonButton.XPButton
HKEY_CLASSES_ROOT\CLSID\{F3C047AF-74B1-4C61-9756-92F8D9F11A56}
HKEY_CLASSES_ROOT\Interface\{92D590B4-A6B6-4841-9C47-CB8D86BFDED0}
HKEY_CLASSES_ROOT\Interface\{C793DC5A-4494-4C30-93B0-0784604871DC}
HKEY_CLASSES_ROOT\TypeLib\{56ACC949-E6EE-4BF7-AF56-0A44FEDE4B42}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F3C047AF-74B1-4C61-9756-92F8D9F11A56}
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{56ACC949-E6EE-4BF7-AF56-0A44FEDE4B42}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{92D590B4-A6B6-4841-9C47-CB8D86BFDED0}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C793DC5A-4494-4C30-93B0-0784604871DC}

Registry Values

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\%systemdir%\ijl11pro.DLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinService32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows LSSS Service
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows LSASS Service

- forbot.cmForbot.CM is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.
- forbot.cnForbot.CN is a worm which attempts to spread to remote network shares. Forbot.CN also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.
- forbot.ctForbot.CT is a network worm that spreads through network shares. It attempts to disable security related applications installed on infected machine. Forbot.CT also has backdoor functionality that allows unauthorized access to infected machines via IRC channels.
- forbot.cuForbot.CU is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.
- forbot.cvForbot.CV can steal information, delete files, reduce system security, steal registration keys for various computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files.
- forbot.cwForbot.CW is a worm that replicates itself over a computer network and usually performs malicious actions.
- forbot.czForbot.CZ is a backdoor worm that spreads through network shares and allows attackers to access and control over infected computer.

007 spy software

ACROSS THE GLOBE

ACROSS THE GLOBE

IN United States

FROM United States