Spyware.WALogger

Spyware.WALogger

Updated:
13 February 2007
Version:
10.0.25
Publisher:
TCB Software
Risk Impact:
High
File Names:
WALI_LITE_Setup.exe SERVICES.EXE WALIMAIN.exe WALI.dll
Systems Affected:
Windows

Behavior


Spyware.WALogger is a spyware program that logs keystrokes.

Symptoms


Your Symantec program detects Spyware.WALogger.

Behavior


Spyware.WALogger must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 14 June 2005
  • Latest Daily Certified version 17 January 2008 revision 033
  • Initial Weekly Certified release date 15 June 2005
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.WALogger is installed, it performs the following actions:
  1. Creates the following files:

    • %System%\CatRoot2\tmp.edb
    • %System%\dllcache\hhctrl.ocx
    • %System%\hh.exe
    • %System%\OLD46.tmp
    • %System%\RICHTX32.OCX
    • %System%\TABCTL32.OCX
    • %System%\UNIPro4TCBS.ocx
    • %System%\VB6STKIT.DLL
    • %System%\WALI\SVCS\1151211099711011610199.al - log file
    • %System%\WALI\SVCS\readme.txt
    • %System%\WALI\SVCS\SERVICES.EXE - log process
    • %System%\WALI\SVCS\UGF.bin
    • %System%\WALI\SVCS\unins000.dat
    • %System%\WALI\SVCS\unins000.exe
    • %System%\WALI\SVCS\wali0
    • %System%\WALI\SVCS\WALIHelp.chm
    • %System%\WALI\SVCS\WALIMAIN.exe - main gui
    • %System%\WALI\SVCS\WALIMAIN.exe.manifest
    • %System%\WALI.dll
    • %Windir%\LastGood\system32\hhctrl.ocx

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93AAC05D-B974-4770-A9EE-92EFE7A59A85}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA6AF311-61FA-468B-BB20-303BFA6B6C6B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51CF22E-E6B3-498F-A9A5-80E80E9E06BD}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8FB10DD5-CC4F-4D5C-B8E9-E45BE911DE2A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UNIPro.uUNIPro
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Activity Logging Interface_is1
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI

  3. Adds the value:

    "WSVCS" = "%System%\WALI\SVCS\SERVICES.EXE"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Adds the value:

    "AlternateCLSID" = "{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}

  5. Logs keystrokes.



The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Uninstall the security risk.
  2. Delete any values added to the registry.
1. To uninstall the security risk
This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:
  1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).

  2. In the Control Panel window, double-click Add/Remove Programs.

    Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.

  3. Click WALI (LITE).

    Note:
    You may need to use the scroll bar to view the whole list.

  4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

    Note: After running the Add/Remove programs applet, all the files may have been removed. You will want to run a full system scan to ensure that this is the case. However, it is possible that no files will be detected after using Add/Remove programs.

2. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  3. Navigate to and delete the subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI

  4. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the value:

    "WSVCS" = "%System%\WALI\SVCS\SERVICES.EXE"

  6. Exit the Registry Editor.