Encyclopedia

Panda Global Protection 2011

Enjoy total security and ensure information integrity.

BUY with 20% OFF	DOWNLOAD FREE

XPCSpy
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

XPCSpy is a PUP (Potentially Unwanted Program) that carries out the following actions:

It logs the keystrokes typed by the user.
This way, it can obtain the passwords that have been entered in the computer.
It captures screenshots.
It can record these actions:
- the accessed websites.
- the opened windows.
- the email messages, chat conversations and instant messages.
- the programs that have been run.
It has rootkit functionalities in order to hide its processes and make its detection more difficult.

Infection strategy

XPCSpy creates and hides the subfolder XSOFT in the Program Files directory with the following files:

SMSS.EXE, which is the main component.
AMON.DLL, IMON.DLL and KEYMON.DLL.
SYSRTS.EXE.
RSRSYS.SYS, which belongs to the rootkit it uses to hide its own processes.
All these files are created in the subfolder XWORKING located in the subfolder XSOFT of the Program Files directory.
RX.EXE. This file is also copied as XLD.EXE.

XPCSpy creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService
ImagePath = C:\Program Files\XSoft\xworking\sysrts.exe
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SystemLoginService
ImagePath = C:\Program Files\XSoft\xworking\sysrts.exe
By creating these entries, XPCSpy registers itself as a system service.
HKEY_CLASSES_ROOT\ CLSID\ {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0}\ InprocServer32
(Default) = C:\Program Files\XSoft\xworking\IMon.dll
HKEY_CLASSES_ROOT\ CLSID\ {67C4682D-5AED-48DB-83CB-2B53270E9BCB}\ InprocServer32
(Default) = C:\Program Files\XSoft\xworking\AMon.dll
By creating these entries, XPCSpy loads the files IMON.DLL and AMON.DLL, so that they can carry out their actions.
HKEY_CLASSES_ROOT\ AMon.TShellExecuteHook\ Clsid
(Default) = {67C4682D-5AED-48DB-83CB-2B53270E9BCB}
HKEY_CLASSES_ROOT\ CLSID\ {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0}\ InprocServer32
ThreadingModel = Apartment
HKEY_CLASSES_ROOT\ CLSID\ {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0}\ ProgID
(Default) = IMon.IESpy
HKEY_CLASSES_ROOT\ CLSID\ {67C4682D-5AED-48DB-83CB-2B53270E9BCB}
(Default) = ShellExecute hook Sample
HKEY_CLASSES_ROOT\ CLSID\ {67C4682D-5AED-48DB-83CB-2B53270E9BCB}\ InprocServer32
ThreadingModel = Apartment
HKEY_CLASSES_ROOT\ CLSID\ {67C4682D-5AED-48DB-83CB-2B53270E9BCB}\ ProgID
(Default) = AMon.TShellExecuteHook
HKEY_CLASSES_ROOT\ IMon.IESpy\ Clsid
(Default) = {3A9DB4A6-E29C-4AE8-9C44-B058941EB5D0}
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ ShellExecuteHooks
{67C4682D-5AED-48DB-83CB-2B53270E9BCB} = ShellExecute hook Sample
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService
DisplayName = Login Service
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService
ErrorControl = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService
ObjectName = LocalSystem
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService
Start = 02, 00, 00, 00
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService
Type = 10, 00, 00, 00
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SystemLoginService\ Security
Security = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SystemLoginService
DisplayName = Login Service
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SystemLoginService
ErrorControl = 01, 00, 00, 00
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SystemLoginService
ObjectName = LocalSystem
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SystemLoginService
Start = 02, 00, 00, 00
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SystemLoginService
Type = 10, 00, 00, 00

Further Details

XPCSpy is written in the programming language Delphi v5. This PUP is 3428352 bytes in size.

The following image belongs to an interface of the program:

Last updated: 08/09/2007

Thanks to Collective Intelligence, Panda's exclusive cloud-computing technology, the company's 2010 solutions leverage the knowledge gathered from the community of millions of Panda users around the world. Each new file received is automatically classified within six minutes and the Collective Intelligence servers classify more than 50,000 new malware samples every day. These technologies correlate information on malware received from each computer to continuously improve the protection level for the worldwide community of users. Panda's 2010 solutions have continuous, real-time contact with this vast knowledge base allowing the company to offer users the fastest response against the new malware that appears every day.

News

Help your friends against viruses: share, save and subscribe to our security content. Thank you.

Rescue of Chilean miners used as new lure by banker Trojan, reports PandaLabs

Top scams on the Web

Panda Security Receives Top Score in Most Recent AV-Comparatives.org Security Su...

[+ News ]

RSS - News coverage on virus and intrusion prevention | TWITTER - PANDA SECURITY

Our Cloud Twitter | Web Map | Contact | Affiliates