Content

Spyware-RemoteSpy

Type
Program
SubType
Spyware
Discovery Date
07/29/2004
Minimum DAT
4383 (08/04/2004)
Updated DAT
4829 (08/14/2006)
Minimum Engine
5.1.00
Description Added
05/11/2005
Description Modified
05/11/2005 5:08 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.  
Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp   for a list of Program detections added to the DATs.

See  http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary:

This application logs keystrokes, collects machine and user specific information, such as web browser history, various Instant Messenger chat information, recent documents viewed, running applications, etc.  Log files are sent via FTP to a specific web site.

Installation:

When run, the following files are created:

  • %SysDir%\winsvc.exe
  • %WinDir%\winreg32.dll
  • %WinDir%\ncslib.dll

Where %SysDir% is the Windows system32 directory, %WinDir% is the Windows directory.

The following registry key is created to load the program at startup.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "winsvc" = %SysDir%\winsvc.exe

It creates the following log files to store information:

  • c:\Documents and Settings\All Users\Application Data\NetExt\Administrator\actions.dat
  • c:\Documents and Settings\All Users\Application Data\NetExt\Administrator\app.dat
  • c:\Documents and Settings\All Users\Application Data\NetExt\Administrator\doc.dat
  • c:\Documents and Settings\All Users\Application Data\NetExt\Administrator\uman.dat
  • c:\Documents and Settings\All Users\Application Data\NetExt\Administrator\web.dat
  • c:\Documents and Settings\All Users\Application Data\NetExt\Administrator\win.dat

Aliases

Aliases

  • PWSteal.Trojan (Symantec)
  • TROJ_AGENT.BI (Trend)
  • Trojan-Spy.Win32.Agent.bi (AVP)