Spyware.SpyKeySpy

[Brad]

Behavior
Spyware.SpyKeySpy logs keystrokes and sends the stolen information to a configurable email address.

Symptoms
Files are detected as Spyware.SpyKeySpy

Transmission
Spyware.SpyKeySpy must be manually installed.

technical details
File names:
setup_spykeyspy.exe
sks32proc.exe
sks32serv.dll
sks32hdrv.dll

When Spyware.SpyKeySpy is installed, it does the following:

   1. Creates the following files and folders:

    * %UserProfile%\Desktop\SpyKeySpy.lnk
    * %UserProfile%\Start Menu\Programs\SpyKeySpy\Help.lnk
    * %UserProfile%\Start Menu\Programs\SpyKeySpy\Homepage.lnk
    * %UserProfile%\Start Menu\Programs\SpyKeySpy\Readme.lnk
    * %UserProfile%\Start Menu\Programs\SpyKeySpy\SpyKeySpy.lnk
    * %UserProfile%\Start Menu\Programs\SpyKeySpy\Uninstall SpyKeySpy.lnk
    * %ProgramFiles%\sks32\Data\k_13_06_2005.ekf
    * %ProgramFiles%\sks32\Home_page.url
    * %ProgramFiles%\sks32\INSTALL.LOG
    * %ProgramFiles%\sks32\Readme.txt
    * %ProgramFiles%\sks32\sks32hdrv.dll (Spyware.SpyKeySpy) - hides sks32proc.exe process from taskmanager
    * %ProgramFiles%\sks32\sks32proc.exe (Spyware.SpyKeySpy)
    * %ProgramFiles%\sks32\SpyKeySpy.chm
    * %ProgramFiles%\sks32\UNWISE.EXE
    * %Windir%\system32\sks32serv.dll (Spyware.SpyKeySpy)

      Note:
    * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
    * %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

   1. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKeySpy
      HKEY_LOCAL_MACHINE\SOFTWARE\SoftArtStudio\sks32_11
      HKEY_LOCAL_MACHINE\SOFTWARE\UDShellR32
      HKEY_LOCAL_MACHINE\SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:/Program Files/sks32/INSTALL.LOG

   2. Adds the value:

      "sks-32" = "%ProgramFiles%\sks32\SKS32P~1.EXE"

      to the following registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time windows starts.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.spykeyspy.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

      Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
   3. Navigate to and delete the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKeySpy
      HKEY_LOCAL_MACHINE\SOFTWARE\SoftArtStudio\sks32_11
      HKEY_LOCAL_MACHINE\SOFTWARE\UDShellR32
      HKEY_LOCAL_MACHINE\SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:\Program Files\sks32\INSTALL.LOG

   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      In the right pane, delete the value:

      "sks-32" = "%ProgramFiles%\sks32\SKS32P~1.EXE"
   5. Exit the Registry Editor.