SPYWARE_TRAK_ACESPY
MonitoringTool:Win32/SnoopIt, MonitoringTool:Win32/ThePCDetective, Backdoor:Win32/Pasur!rts(Microsoft), Win32/Monitor.SniperSpy application, Win32/PCDetective.C application, Win32/Optix.Pro.13 trojan(Eset)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
TECHNICAL DETAILS
2,239,559 bytes
EXE
No
07 Apr 2011
Installation
This spyware drops the following component file(s):
- %Program Files%\Retina-X Studios\AceSpy\contlist.ndx
- %Program Files%\Retina-X Studios\AceSpy\keylist.ndx
- %Program Files%\Retina-X Studios\AceSpy\LOGS\acecache\_ace03202013.log
- %Program Files%\Retina-X Studios\AceSpy\LOGS\appcache\_app03202013.log
- %Program Files%\Retina-X Studios\AceSpy\LOGS\eventcache\_event03202013.log
- %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache\key20130320055357.log
- %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache\KeyLog03202013.log
- %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache\scr03202013055355.jpg
- %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache\scrlog03202013.log
- %Program Files%\Retina-X Studios\AceSpy\LOGS\wincache\app03202013.log
- %Program Files%\Retina-X Studios\AceSpy\urlfname.ndx
- %Program Files%\Retina-X Studios\AceSpy\userlist.ndx
- %Program Files%\Retina-X Studios\AceSpy\winlist.ndx
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It creates the following folders:
- {All User's Profile}\Start Menu\Programs\AceSpy
- %Program Files%\Retina-X Studios
- %Program Files%\Retina-X Studios\AceSpy
- %Program Files%\Retina-X Studios\AceSpy\LOGS
- %Program Files%\Retina-X Studios\AceSpy\LOGS\acecache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\appcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\clipcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\emailcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\eventcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\iecache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\msgcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\prncache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\recentcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\taskcache
- %Program Files%\Retina-X Studios\AceSpy\LOGS\wincache
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\VnSI4H Softwares
HKEY_CURRENT_USER\Software\VnSI4H Softwares\
StealthAPIs
HKEY_LOCAL_MACHINE\SOFTWARE\RXS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mchInjDrv
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\RXS
thePassword = "{password}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mchInjDrv
ImagePath = "\??\%User Temp%\mc2B.tmp"