Spyware.WALogger

[Brad]

Behavior
Spyware.WALogger is a spyware program that logs keystrokes.

Symptoms
Your Symantec program detects Spyware.WALogger.

Transmission
Spyware.WALogger must be manually installed.

technical details
File names:
WALI_LITE_Setup.exe
SERVICES.EXE
WALIMAIN.exe
WALI.dll

When Spyware.WALogger is installed, it performs the following actions:

   1. Creates the following files:

          * %System%\CatRoot2\tmp.edb
          * %System%\dllcache\hhctrl.ocx
          * %System%\hh.exe
          * %System%\OLD46.tmp
          * %System%\RICHTX32.OCX
          * %System%\TABCTL32.OCX
          * %System%\UNIPro4TCBS.ocx
          * %System%\VB6STKIT.DLL
          * %System%\WALI\SVCS\1151211099711011610199.al - log file
          * %System%\WALI\SVCS\readme.txt
          * %System%\WALI\SVCS\SERVICES.EXE - log process
          * %System%\WALI\SVCS\UGF.bin
          * %System%\WALI\SVCS\unins000.dat
          * %System%\WALI\SVCS\unins000.exe
          * %System%\WALI\SVCS\wali0
          * %System%\WALI\SVCS\WALIHelp.chm
          * %System%\WALI\SVCS\WALIMAIN.exe - main gui
          * %System%\WALI\SVCS\WALIMAIN.exe.manifest
          * %System%\WALI.dll
          * %Windir%\LastGood\system32\hhctrl.ocx

            Notes:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

   2. Creates the following registry keys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93AAC05D-B974-4770-A9EE-92EFE7A59A85}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA6AF311-61FA-468B-BB20-303BFA6B6C6B}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51CF22E-E6B3-498F-A9A5-80E80E9E06BD}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8FB10DD5-CC4F-4D5C-B8E9-E45BE911DE2A}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UNIPro.uUNIPro
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Activity Logging Interface_is1
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI

   3. Adds the value:

      "WSVCS" = "%System%\WALI\SVCS\SERVICES.EXE"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   4. Adds the value:

      "AlternateCLSID" = "{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}

   5. Logs keystrokes.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

      Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

   3. Navigate to and delete the subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI

   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "WSVCS" = "%System%\WALI\SVCS\SERVICES.EXE"

   6. Exit the Registry Editor.