Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.ChatWatch

Spyware.ChatWatch

Updated:
10 May 2006
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

Spyware.ChatWatch is a spyware program that can record online chat conversations.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 17 July 2004
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 21 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.ChatWatch is a spyware program that can record online chat conversations.

The risk may arrive as the file cw3setup.exe.

Once executed, it creates the following files:
cw.exe
ccrpTmr6.dll
PolarZIPLight.dll
Richtx32.ocx
smtp.ocx
unins00.exe
unins00.dat

The installation Path and Hot-key combinations are configurable. The defaults are:
The default installation path is "%ProgramFiles%\CW3\"
The default hotkey is "CTRL+F6"

The risk creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"cwatch" = "[INSTALLATION PATH]\cw.exe"

The risk creates the following registry subkeys:
HKEY_Classes_Root\CLSID\{1AB22F59-FB66-4A06-BCA9-EA5A6D5785E0}\InprocServer32\ HKEY_Classes_Root\CLSID\{1AB22F59-FB66-4A06-BCA9-EA5A6D5785E0}\ToolboxBitmap32\ HKEY_Classes_Root\TypeLib\{9ccd14d6-abe0-44bf-8f04-29e59d2cda5d}\5.0\HELPDIR\ HKEY_Classes_Root\TypeLib\{42f1591e-830c-11d2-bbde-0055003b26de}\1.0\win32\ HKEY_Classes_Root\CLSID\{42f1591e-830c-11d2-bbde-0055003b26de}\InprocServer32\

The risk performs the following actions:
Logs all instant messenger conversations.
Sends log files via email.
Disables Task Manager to hinder users from viewing the current running applications list.

The risk searches for a window with a title bar containing the words "Task Manager" (for example, "Windows Task Manager") and kills the process.