Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.
Spyware.BossEye
Friday, June 27 2008
Symantec Security Response
http://www.symantec.com/business/security_response/index.jspSpyware.BossEye
Updated: February 24, 2006 3:32:17 AM
Type: Spyware
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
SUMMARY
Behavior
Spyware.BossEye is a spyware program that captures screenshots at specified intervals. These screenshots are stored on the computer and can be accessed remotely in real-time or at a later time by the manager component of the application on another computer. The application can be configured to start recording silently at specific times and durations.Protection
- Initial Rapid Release version February 23, 2006
- Latest Rapid Release version June 14, 2008 revision 017
- Initial Daily Certified version February 23, 2006
- Latest Daily Certified version June 14, 2008 revision 016
- Initial Weekly Certified release date March 1, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
TECHNICAL DETAILS
Spyware.BossEye is a spyware program that captures screenshots at specified intervals. These screenshots are stored on the computer and can be accessed remotely in real-time or at a later time by the manager component of the application on another computer. The application can be configured to start recording silently at specific times and durations.When the risk is installed, it creates the following files:
%UserProfile%\Start Menu\Programs\Boss Eye DEMO\Boss Eye DEMO.lnk
%UserProfile%\Start Menu\Programs\Boss Eye DEMO\Boss Eye Server.lnk
%UserProfile%\Start Menu\Programs\Boss Eye DEMO\Help.lnk
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Help\akis.chm
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Help\eye.chm
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\INSTALL.LOG
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Player.exe
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Player.mld
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Res\beeng.bin
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Res\logo.bin
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Res\logoeng.bin
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Res\Player.ini
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Res\sa.bin
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\sdk.dat
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Server.exe
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\shootsrv.mld
%ProgramFiles%\UAB Optiva\Boss Eye DEMO\Uninstall.exe
It also creates the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{35FF5640-2F2E-4AA1-8FF6-EDA3FFEA2D17}
The risk then takes screenshots of the compromised computer's display, allowing all user activity visible onscreen to be recorded and accessed remotely by another computer. This includes such things as Web browsing habits, email, and running applications. These screenshots are stored on the computer and can be accessed either in real-time or at a later time over the network by a monitoring agent.
The frequency at which screen capture occurs can be set in the monitoring component (player.exe), of this risk, allowing a maximum capture rate of one screenshot per second. The default rate of capture is one screenshot every 30 seconds. The application can be configured to scheduled to record silently at specific times and durations.
Spyware.SaveMyWork
Spyware.SpyClock
Spyware.IESecurityPro
Spyware.TrafficAccProc
Spyware.SolidKeyLogger