Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.

Spyware.YKPMD

Friday, June 27 2008

Symantec Security Response

http://www.symantec.com/business/security_response/index.jsp

Spyware.YKPMD

Updated: February 7, 2006 12:03:03 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

SUMMARY

Behavior

Spyware.YKPMD is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.

Protection

  • Initial Rapid Release version February 3, 2006
  • Latest Rapid Release version February 3, 2006
  • Initial Daily Certified version February 3, 2006
  • Latest Daily Certified version February 3, 2006
  • Initial Weekly Certified release date February 8, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

Spyware.YKPMD is a spyware program that monitors user activity, logs keystrokes, and captures screenshots.

Once Spyware.YKPMD is installed, it creates the following files:
%UserProfile%\Start Menu\Programs\RebrandSoftware [YOURCOMPANY HERE]\Professional Computer Monitor Demo [YOURPROGRAMNAME HERE]\Computer Monitor Demo [YOURPROGRAMNAME HERE].lnk
%UserProfile%\Start Menu\Programs\RebrandSoftware [YOURCOMPANY HERE]\Professional Computer Monitor Demo [YOURPROGRAMNAME HERE]\Readme-Help.lnk
%ProgramFiles%\YKPMD\EventScheduler.mdb
%ProgramFiles%\YKPMD\Help.rtf
%ProgramFiles%\YKPMD\riched32.dll
%ProgramFiles%\YKPMD\YKPND.exe
%Windir%\Installer\[RANDOM].msi
%System%\actskn43.ocx - This is a non-malicious component that may be used by other applications.
%System%\dijpg.dll - This is a non-malicious component that may be used by other applications.
%System%\richtx32.ocx - This is a non-malicious component that may be used by other applications.
%System%\skinboxer43.dll - This is a non-malicious component that may be used by other applications.
%System%\comdlg32.ocx - This is a non-malicious component that may be used by other applications.
%System%\mscomct2.ocx - This is a non-malicious component that may be used by other applications.
%System%\mscomctl.ocx - This is a non-malicious component that may be used by other applications.
%System%\mswinsck.ocx - This is a non-malicious component that may be used by other applications.

The risk also creates the following folders:
%UserProfile%\Application Data\Microsoft\Installer\{F72438D4-65D4-493B-9930-6EF66903FC09} - The threat creates numerous files, with the file name [RANDOM].exe, in this folder.
%ProgramFiles%\YKPMD\projects - This folder may contain more randomly named folders which contain the data that is gathered by the threat.
%ProgramFiles%\YKPMD\temp

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\%CURRENT_USER%\Products\4D83427F4D56B3949903E66F9630CF90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{{F72438D4-65D4-493B-9930-6EF66903FC09}HKEY_LOCAL_MACHINE\SOFTWARE\YourCompany\YourKeyloggerProgramName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Modules\[RANDOM]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\4ED0D9931529FFB489CC623797038D4A
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\4D83427F4D56B3949903E66F9630CF90
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\4D83427F4D56B3949903E66F9630CF90
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\4ED0D9931529FFB489CC623797038D4A

The risk also creates numerous legitimate registry subkeys associated with the non-malicious components mentioned above that are installed by the risk.

Next, the risk creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Program Files\YKPMD\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\%CURRENT_USER%\Start Menu\Programs\RebrandSoftware [YOURCOMPANY HERE]\Professional Computer Monitor Demo [YOURPROGRAMNAME HERE]\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"C:\Documents and Settings\%CURRENT_USER%\Application Data\Microsoft\Installer\{F72438D4-65D4-493B-9930-6EF66903FC09}\ """ = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\YKPMD\YKPND"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\YKPMD\YKPND"

The risk then monitors user activity on the compromised computer, logs keystrokes, and captures screenshots.


Read More:
Spyware.YKPMD
Also See:
Spyware.UltimateKeylog
Spyware.SmartKeylogger
Spyware.HidetoolsSpy
Spyware.IMonitorPCPro
Spyware.FlexiSpy