McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

PWCrack-Winspy provides several functionalities aiming to spy on user activities. In particular, it registers keystrokes, records visited URLs, can take screenshots and hides itself. It can also automatically send collected data to a pre-configured email address.

The administration interface can be shown by pressing a predefined set of keys. It is protected by a login name and password.

PWCrack-Winspy doesn’t appear in the Windows Task Manager nor in the installed programs list.

PWCrack-Winspy creates the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\FH
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\KA
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\US
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\WM

It also hides itself and prevents user to modify folders properties by adding the following value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

• "NoFolderOptions" =  “01000000”
  

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

N/A

All Information

Overview -

Characteristics

Characteristics -

PWCrack-Winspy provides several functionalities aiming to spy on user activities. In particular, it registers keystrokes, records visited URLs, can take screenshots and hides itself. It can also automatically send collected data to a pre-configured email address.

The administration interface can be shown by pressing a predefined set of keys. It is protected by a login name and password.

PWCrack-Winspy doesn’t appear in the Windows Task Manager nor in the installed programs list.

PWCrack-Winspy creates the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\FH
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\KA
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\US
• HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\WM

It also hides itself and prevents user to modify folders properties by adding the following value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

• "NoFolderOptions" =  “01000000”
  

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

N/A