Spyware.ScreenView

Spyware.ScreenView

Updated:
12 October 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.ScreenView is a spyware program that monitors user activity on computers in a local area network.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 April 2017 revision 004
  • Initial Daily Certified version 12 October 2006
  • Latest Daily Certified version 07 April 2017 revision 008
  • Initial Weekly Certified release date 18 October 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.ScreenView is a spyware program that monitors user activity on computers in a local area network.

When the risk is executed, it may create the following files:
%Windir%\system32\COMCT332.OCX
%Windir%\system32\COMDLG32.OCX
%Windir%\system32\HH.EXE
%Windir%\system32\MCLHotkey.ocx
%Windir%\system32\mscomctl.ocx
%Windir%\system32\MSMASK32.OCX
%Windir%\system32\MSVBVM60.DLL
%Windir%\system32\MSWINSCK.OCX
%Windir%\system32\Sspl.dll
%Windir%\system32\VB6STKIT.DLL
%Windir%\system32\ZTray.ocx
%Windir%\folders.nfo
%Windir%\Setup1.exe
%Windir%\ST6UNST.EXE
%Windir%\svrmgr.exe
%UserProfile%\Start Menu\Programs\ScreenView\ScreenView.LNK
%ProgramFiles%\ScreenView\ScreenView.crc
%ProgramFiles%\ScreenView\ScreenView.exe
%ProgramFiles%\ScreenView\ST6UNST.LOG
%ProgramFiles%\ScreenView\svhelp.chm
%ProgramFiles%\svrmgr\ST6UNST.LOG

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ScreenView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\ScreenView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #[INSTALLATION_NUMBER]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SvrMgr.exe
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\ScreenView

The risk creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ScreenView" = "%ProgramFiles%\ScreenView\ScreenView"

The risk also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\"svrmgr.exe" = "1"

The risk contains a client component, which is installed on the computers to be monitored. A server component then monitors the client components and may allow the following actions to be performed on the monitored computers:
Capture screenshots
Log keystrokes
Execute and terminate programs
`