Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Monitoring.Employee-Monitoring.3 Analysis Report
Threat Submitted On: 7/13/2008 10:19:57 AM
Threat Analysed On: 7/13/2008 3:19:57 PM
Threat Updated On: 1/28/2011 12:15:10 AM
Type : Monitoring
Symptoms of Employee-Monitoring.3
  • Capture the activities performed by the user on a system
  • Captured information is sent to the intruder.
  • The intruder can access the compromised machine at real-time.
Information
Alias : Monitoring.Employee-Monitoring.3.1
Md5 Hash : [d8fb9bd365ba7122eedfb3747ebe03a8]
File Size : (824592 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: employee monitoring.exe
Path : %programfiles%\employee monitoring

Md5Hash :94a937b064db5e873871cb6640540204 ( 917504 bytes)
File: unins000.exe
Path : %programfiles%\employee monitoring

Md5Hash :4430cc72b3a69e91f42043950461fbd1 ( 71588 bytes)
File: [randomname].exe
Path : %workingdir%

Md5Hash :d8fb9bd365ba7122eedfb3747ebe03a8 ( 824592 bytes)
Creates the following child process(s) on execution:

%systemdrive%\docume~1\cwsand~1\locals~1\temp\ins1.tmp /sl3 $301b4 %workingdir%\employee-monitoring-09-03-03freeware.exe 816742 820156 61952

%programfiles%\employee monitoring\employee monitoring.exe

Creates the Following MUTEX(s) on user's System:-
ctf.lbes.mutexdefaults-1-5-21-583907252-1647877149-839522115-1005
ctf.compart.mutexdefaults-1-5-21-583907252-1647877149-839522115-1005
ctf.asm.mutexdefaults-1-5-21-583907252-1647877149-839522115-1005
ctf.layouts.mutexdefaults-1-5-21-583907252-1647877149-839522115-1005
ctf.tmd.mutexdefaults-1-5-21-583907252-1647877149-839522115-1005
Moves the Following Files to Given Location :-
Moves :%programfiles%\employee monitoring\is-kfscs.tmp
To : %programfiles%\employee monitoring\unins000.exe
Moves :%programfiles%\employee monitoring\is-tk1ob.tmp
To : %programfiles%\employee monitoring\employee monitoring.exe
Moves :%programfiles%\employee monitoring\is-kjfpu.tmp
To : %programfiles%\employee monitoring\dpcore.dll

NOTE:

1. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.