Spyware.ComSpySysSvr

[TJ]

Spyware.ComSpySysSvr is a spyware program that records screenshots and send it to predefined IP address.

Symptoms
Your Symantec program detects Spyware.ComSpySysSvr.

Transmission
Spyware.ComSpySysSvr must be manually installed.

technical details
File names:
key.dll
The_Eye.exe
Setup CSS.msi
CSSServer.exe
CSS Data Manager.exe

When Spyware.ComSpySysSvr is installed, it performs the following actions:

   1. Creates the following files:

          * [RANDOM FOLDER]\key.dll
          * [RANDOM FOLDER]\The_Eye.exe
          * %UserProfile%\Start Menu\Programs\Computer Spying System\Computer Spying System Help.lnk
          * %UserProfile%\Start Menu\Programs\Computer Spying System\CSS Data Manager.lnk
          * %UserProfile%\Start Menu\Programs\Computer Spying System\CSSServer.lnk
          * %ProgramFiles%\Munart\CSS\ComputerSpyingSystem.chm
          * %ProgramFiles%\Munart\CSS\CSS Data Manager.exe
          * %ProgramFiles%\Munart\CSS\CSSServer.exe
          * %ProgramFiles%\Munart\CSS\csssettings.dat
          * %ProgramFiles%\Munart\CSS\EULA Computer Spying System.rtf
          * %ProgramFiles%\Munart\CSS\key.dll
          * %ProgramFiles%\Munart\CSS\The_Eye.exe
          * %System%\Temp\[date].jpg
          * %System%\Temp\keys.ktm

            Note:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
          * %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

   2. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes
      \ECE9CF640C19F064B84B575037320481
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
      \{49865713-16CE-46C6-BE8A-DF022D50C497}
      HKEY_LOCAL_MACHINE\SOFTWARE\Munart
      HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\31756894EC616C64EBA8FD20D2054C79
      HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\31756894EC616C64EBA8FD20D2054C79
      HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\ECE9CF640C19F064B84B575037320481
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
      \Start Menu2\Programs\Computer Spying System
      HKEY_CURRENT_USER\Software\Munart

   3. Adds the following values:

      "CSS Server" = "%ProgramFiles%\Munart\CSS\CSSServer.exe"
      "display" = "[RANDOM FOLDER]\The_Eye.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   4. Adds the following values:

      "%UserProfile%\Start Menu\Programs\Computer Spying System\" = "1"                                 
      "%ProgramFiles%\Munart\CSS\" = ""
      "%ProgramFiles%\Munart\" = ""                                                                     
      "%UserProfile%\Application Data\Microsoft\Installer\{49865713-16CE-46C6-BE8A-DF022D50C497}\" = "" 

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

   5. Capture screenshots and send it predefined IP address.

REMOVAL INSTRUCTIONS
To uninstall the security risk
This security risk includes an uninstallation applet. In order to uninstall this security risk, complete the following instructions:

   1. Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).

   2. In the Control Panel window, double-click Add/Remove Programs.

      Windows Me only: If you do not see the Add/Remove Programs icon, click ...view all Control Panel options.

   3. Click CSS.

      Note: You may need to use the scroll bar to view the whole list.

   4. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

      Note: After running the Add/Remove programs applet, all the files may have been removed. You will want to run a full system scan to ensure that this is the case. However, it is possible that no files will be detected after using Add/Remove programs.

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

   3. Navigate to and delete the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Munart

   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the values:

      "CSS Server" = "%ProgramFiles%\Munart\CSS\CSSServer.exe"
      "display" = "[RANDOM FOLDER]\The_Eye.exe"

   6. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

   7. In the right pane, delete the values:

      "%ProgramFiles%\Munart\CSS\" = ""                                                                 
      "%ProgramFiles%\Munart\" = ""

   8. Exit the Registry Editor.