Spyware.PCProwler

Spyware.PCProwler

Updated:
21 March 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Spyware.PCProwler is a commercial Spyware application that records keystrokes, takes screenshots and monitors IM messages. It can store this information locally or mail it to a third party.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 21 March 2006
  • Latest Daily Certified version 22 July 2011 revision 023
  • Initial Weekly Certified release date 22 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.PCProwler is a commercial Spyware application that records keystrokes, takes screenshots and monitors IM messages. It can store this information locally or mail it to a third party.

Once executed, it creates the following files:
%UserProfile%\Start Menu\Programs\MSWSPXP\Launch.lnk
%UserProfile%\Start Menu\Programs\MSWSPXP\Uninstall.lnk
%ProgramFiles%\Logger\*.*
%ProgramFiles%\MSWSPXP\!Executables\Release\.driver
%ProgramFiles%\MSWSPXP\!Executables\Release\Authenticator.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\cdll.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\di_Blowfish.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\IEHelper.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\KeyboardHook.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Launcher.exe
%ProgramFiles%\MSWSPXP\!Executables\Release\OutlookAddin.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\PcProwler.cnt
%ProgramFiles%\MSWSPXP\!Executables\Release\PCPROWLER.HLP
%ProgramFiles%\MSWSPXP\!Executables\Release\qt-mt333.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Reporter.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\SelfLoger.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Settings.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\ShellHook.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\SpyKeyloggerApplication.exe
%ProgramFiles%\MSWSPXP\!Executables\Release\SpyKeyloggerService.dll
%ProgramFiles%\MSWSPXP\!Executables\Release\Stoper.exe
%ProgramFiles%\MSWSPXP\!Executables\Release\svchost.exe
%ProgramFiles%\MSWSPXP\!Registry\*.*
%ProgramFiles%\MSWSPXP\!Resources\*.png
%ProgramFiles%\MSWSPXP\unins000.dat
%ProgramFiles%\MSWSPXP\unins000.exe

The risk then creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}}
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC Prowler_is1
HKEY_LOCAL_MACHINE\SOFTWARE\LogiGuard\PC Prowler

It then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"legalnoticeapplication = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"applicationgateway" = "C:\Program Files\MSWSPXP\!Executables\Release\svchost.exe"

It will also create the registry entries so that components of the Spyware can operate in Microsoft Outlook:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\"Support" = "4.0;C:\PROGRA~1\MSWSPXP\!EXECU~1 Release\OUTLOO~1.DLL;1;11111111111111;1111111"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Extensions\"Outlook Setup Extension" = "4.0;Outxxx.dll;7;00000000000000;0000000;OutXXX"

The risk can then be preconfigured to mail any log files to an email account chosen by the user.