McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.aspx for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary:

This is not a virus or Trojan. It is detected as a potentially unwanted program. It is a spyware dropper which installs the spyware application “StaffCop”. Files dropped are detected as Spyware-StaffCop.

This spyware application is used for monitoring activities on a remote computer or one’s own computer. The controlling computer can install “StaffCop Agent” on a remote computer and perform following activities -

• View the screen of the remote computer in real time and obtain snapshots of the same.
• View lists of running processes and the websites visited on the remote computer and obtain logs of the same.

Following snapshot shows the viewing screen presented to the controlling user. The screen shows the activity happening on a remote computer on which StaffCop Agent is installed.

Privacy :

EULA is displayed during the installation.

Installation:

Installation on controlling computer:

File name: StaffCop.exe
MD5Hash: 7aeb0c36dac83aeeed9e78d59a46ede6

This file installs the spyware on the controlling computer (which monitors other remote computers).

Upon executing the application, following folders are created-

• %All Users%\Start Menu\Programs\StaffCop
• %Program Files%\StaffCop
• %Program Files%\StaffCop\logs
• %Program Files%\StaffCop\templates
• %SYSTEM32%\CSRSS
• %SYSTEM32%\\CSRSS\SS

Following files are added in directory %Program Files%\StaffCop :

• Agent.exe
• ReportWizard.exe
• RWRes.dll
• SCRes.dll
• StaffCop.exe 

Following file is added in directory %WINDOWS% :

• csrss.exe

Following registries are added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Uninstall\StaffCop_is1
• HKEY_LOCAL_MACHINE\SOFTWARE\StaffCop
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csrss.exe
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  StaffCop Service
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Staffcop Scheduler"

Installation on a remote computer:

File name: AgentSetup.exe
MD5Hash: 600f36c25cefdfb900d6fe23d8ea5d7d

This file must be executed on a remote computer in order to monitor the activities on that system.

Upon executing the application, following folders are created-

• %PROGRAM FILES%\StaffCop
• %SYSTEM32%\CSRSS
• %SYSTEM32%\CSRSS\SS

Following files are added:

• %PROGRAM FILES%\StaffCop Agent\Agent.exe
• %WINDOWS%\csrss.exe

Following registries are added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Uninstall\StaffCop Agent_is1
• HKEY_LOCAL_MACHINE\SOFTWARE\StaffCop
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csrss.exe
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  StaffCop  Service

Removal

Aliases

Aliases

• Spyware.StaffCop: Symantec