Spyware.Wiretap

[Brad]

Behavior
Spyware.Wiretap is a spyware program that monitors and records keystrokes, programs executed, Web sites visited, and Instant Messenger conversations.

Symptoms
Your Symantec program detects Spyware.Wiretap.

You may find an icon in the System Tray that will open the Wiretap Pro control panel.

Transmission
This security risk must be manually installed.

technical details
File names:
wiretappro.exe
iun6002.exe
scvhost.exe
ShellExecuteHook.dll
Hook.dll

When Spyware.Wiretap is executed, it performs the following actions:

   1. Creates the following folders:

          * %ProgramFiles%\Wiretap Professional
          * C:\Documents and Settings\All Users\Start Menu\Programs\Wiretap Professional

            Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files

   2. Creates the following files:

          * %ProgramFiles%\Wiretap Professional\scvhost.exe
          * %ProgramFiles%\Wiretap Professional\ShellExecuteHook.dll
          * %ProgramFiles%\Wiretap Professional\Hook.dll
          * %ProgramFiles%\Wiretap Professional\irunin.ini
          * %ProgramFiles%\Wiretap Professional\irunin.dat
          * %ProgramFiles%\Wiretap Professional\irunin.lng
          * %ProgramFiles%\Wiretap Professional\irunin.bmp
          * %ProgramFiles%\Wiretap Professional\aide.htm
          * %ProgramFiles%\Wiretap Professional\ayuda.htm
          * %ProgramFiles%\Wiretap Professional\config.xml
          * %ProgramFiles%\Wiretap Professional\config.~xml
          * %ProgramFiles%\Wiretap Professional\help.htm
          * %ProgramFiles%\Wiretap Professional\hilfe.htm
          * %ProgramFiles%\Wiretap Professional\Languages\English.lng
          * %ProgramFiles%\Wiretap Professional\Languages\French.lng
          * %ProgramFiles%\Wiretap Professional\Languages\German.lng
          * %ProgramFiles%\Wiretap Professional\Languages\Spanish.lng
          * %ProgramFiles%\Wiretap Professional\Help\English\RD.gif
          * %ProgramFiles%\Wiretap Professional\Help\English\get_flash_player.gif
          * %ProgramFiles%\Wiretap Professional\Help\English\help.css
          * %ProgramFiles%\Wiretap Professional\Help\English\helpcontents.css
          * %ProgramFiles%\Wiretap Professional\Help\English\left.htm
          * %ProgramFiles%\Wiretap Professional\Help\English\main.htm
          * %ProgramFiles%\Wiretap Professional\Help\English\nic.gif
          * %Windir%\iun6002.exe
          * C:\Documents and Settings\All Users\Start Menu\Programs\Wiretap Professional\Uninstall Wiretap Professional.lnk
          * C:\Documents and Settings\All Users\Start Menu\Programs\Wiretap Professional\Wiretap Help File.lnk
          * C:\Documents and Settings\All Users\Start Menu\Programs\Wiretap Professional\Wiretap Professional.lnk

            Note:%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   3. Adds the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\scvhost.exe
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{935FA400-243D-11D3-B06E-857B2AE2BE64}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExecuteHook.TShellExecuteHook
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wtp_is1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{935FA400-243D-11D3-B06E-857B2AE2BE64}

   4. Adds the value:

      "scvhost" = "%ProgramFiles%\Wiretap Professional\scvhost.exe"


      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


      so that the risk runs every time Windows starts.

   5. Monitors keystrokes, passwords, documents viewed, Web sites visited, and Instant Messenger conversations.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.wiretap.html