Home / malwarePDF  

MonitoringTool:Win32/MsnSpyMaster


First posted on 25 September 2014.
Source: Microsoft

Aliases :

There are no other names known for MonitoringTool:Win32/MsnSpyMaster.

Explanation :

Threat behavior MonitoringTool:Win32/MsnSpyMaster is a unwanted program that monitors and records Windows Live Messenger conversations, possibly without the user's knowledge or consent. When installed, MonitoringTool:Win32/MsnSpyMastercan be set to run on the computer without the user's knowledge. It records conversations conducted using Windows Live Messenger. The key strokes are logged, and screen shots and video are taken of the conversations; this can be used to generate a report which may be sent to a pre-configured email address. MonitoringTool:Win32/MsnSpyMaster is a commercial product that is available from a certain website. It may display the following user interfaces:

Installation

On installation, MonitoringTool:Win32/MsnSpyMaster displays the following installation screen: When installed, MonitoringTool:Win32/MsnSpyMaster creates the following directories with 'hidden' attributes:

  • \msystem
  • \msystem\iData\
  • \msystem\iData\Screens\
Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It then adds the following files:
  • \msystem\ Config.ini
  • \msystem\ Services.exe
  • \msystem\iData\Data.msn
  • \msystem\iData\ sMail.msm
  • \msystem\iData\ Users.msm
MonitoringTool:Win32/MsnSpyMaster makes the following changes to the registry: In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "msservices" With data: "C:\WINDOWS\system32\msystem\services.exe" Adds subkey: HKCU\Software\Syncsoft Adds subkey: HKCU\Software\Syncsoft\Msn SpyMaster In subkey: HKCU\Software\Syncsoft\Msn SpyMaster Sets value: "Uninstall" With data: "C:\WINDOWS\system32\msystem\unins000.exe\"

Analysis by Michael Johnson Symptoms

System changes

The following system changes may indicate the presence of this program:
  • The presence of the following files:

    \msystem\Config.ini
    • \msystem\Services.exe \msystem\iData\Data.msn \msystem\iData\sMail.msm \msystem\iData\Users.msm
  • The presence of the following registry modifications:
    • In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "msservices" With data: "C:\WINDOWS\system32\msystem\services.exe" Adds subkey: HKCU\Software\Syncsoft Adds subkey: HKCU\Software\Syncsoft\Msn SpyMaster In subkey: HKCU\Software\Syncsoft\Msn SpyMaster Sets value: "Uninstall" With data: "C:\WINDOWS\system32\msystem\unins000.exe\"
  • The display of the following images:



Last update 25 September 2014

 

TOP

Malware :