Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.

Spyware.ScreenView

Friday, June 27 2008

Symantec Security Response

http://www.symantec.com/business/security_response/index.jsp

Spyware.ScreenView

Updated: October 12, 2006 4:34:37 PM
Type: Spyware
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

SUMMARY

Behavior

Spyware.ScreenView is a spyware program that monitors user activity on computers in a local area network.

Protection

  • Initial Rapid Release version October 12, 2006
  • Latest Rapid Release version June 14, 2008 revision 017
  • Initial Daily Certified version October 12, 2006
  • Latest Daily Certified version June 14, 2008 revision 016
  • Initial Weekly Certified release date October 18, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

Spyware.ScreenView is a spyware program that monitors user activity on computers in a local area network.

When the risk is executed, it may create the following files:
%Windir%\system32\COMCT332.OCX
%Windir%\system32\COMDLG32.OCX
%Windir%\system32\HH.EXE
%Windir%\system32\MCLHotkey.ocx
%Windir%\system32\mscomctl.ocx
%Windir%\system32\MSMASK32.OCX
%Windir%\system32\MSVBVM60.DLL
%Windir%\system32\MSWINSCK.OCX
%Windir%\system32\Sspl.dll
%Windir%\system32\VB6STKIT.DLL
%Windir%\system32\ZTray.ocx
%Windir%\folders.nfo
%Windir%\Setup1.exe
%Windir%\ST6UNST.EXE
%Windir%\svrmgr.exe
%UserProfile%\Start Menu\Programs\ScreenView\ScreenView.LNK
%ProgramFiles%\ScreenView\ScreenView.crc
%ProgramFiles%\ScreenView\ScreenView.exe
%ProgramFiles%\ScreenView\ST6UNST.LOG
%ProgramFiles%\ScreenView\svhelp.chm
%ProgramFiles%\svrmgr\ST6UNST.LOG

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ScreenView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\ScreenView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #[INSTALLATION_NUMBER]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SvrMgr.exe
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\ScreenView

The risk creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ScreenView" = "%ProgramFiles%\ScreenView\ScreenView"

The risk also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\"svrmgr.exe" = "1"

The risk contains a client component, which is installed on the computers to be monitored. A server component then monitors the client components and may allow the following actions to be performed on the monitored computers:
Capture screenshots
Log keystrokes
Execute and terminate programs


Read More:
Spyware.ScreenView
Also See:
Spyware.IMMonitor
Spyware.Fingerprints
Spyware.UltraKeylogger
Spyware.EmailSpyMon
Spyware.ChilyEMon