arrow_back
search
close

SPYWARE_TRAK_ACESPY

March 19, 2013
 Analysis by: Rika Joi Gregorio
 ALIASES:

MonitoringTool:Win32/SnoopIt, MonitoringTool:Win32/ThePCDetective, Backdoor:Win32/Pasur!rts(Microsoft), Win32/Monitor.SniperSpy application, Win32/PCDetective.C application, Win32/Optix.Pro.13 trojan(Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  TECHNICAL DETAILS

File Size:

2,239,559 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

07 Apr 2011

Installation

This spyware drops the following component file(s):

  • %Program Files%\Retina-X Studios\AceSpy\contlist.ndx
  • %Program Files%\Retina-X Studios\AceSpy\keylist.ndx
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\acecache\_ace03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\appcache\_app03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\eventcache\_event03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache\key20130320055357.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache\KeyLog03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache\scr03202013055355.jpg
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache\scrlog03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\wincache\app03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\urlfname.ndx
  • %Program Files%\Retina-X Studios\AceSpy\userlist.ndx
  • %Program Files%\Retina-X Studios\AceSpy\winlist.ndx

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • {All User's Profile}\Start Menu\Programs\AceSpy
  • %Program Files%\Retina-X Studios
  • %Program Files%\Retina-X Studios\AceSpy
  • %Program Files%\Retina-X Studios\AceSpy\LOGS
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\acecache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\appcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\clipcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\emailcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\eventcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\iecache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\msgcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\prncache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\recentcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\taskcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\wincache

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\VnSI4H Softwares

HKEY_CURRENT_USER\Software\VnSI4H Softwares\
StealthAPIs

HKEY_LOCAL_MACHINE\SOFTWARE\RXS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mchInjDrv

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\RXS
thePassword = "{password}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mchInjDrv
ImagePath = "\??\%User Temp%\mc2B.tmp"