Home / malware MonitoringTool:Win32/DrpuPcDataManager
First posted on 10 November 2010.
Source: SecurityHomeAliases :
MonitoringTool:Win32/DrpuPcDataManager is also known as W32/MalwareF.BWSS (Authentium (Command)), Win32/KeyLogger.PCDataManager (ESET), Keylog-DataDoctor (McAfee), Trojan.Win32.Generic.520718B8 (Rising AV), DRPU (Sunbelt Software), Spyware.DataDoctorKey (Symantec).
Explanation :
MonitoringTool:Win32/DrpuPcDataManager is a monitoring program that monitors user activities, such as key strokes typed, clipboard, screenshots, applications, system, time and sound activities. This information can then be logged, emailed or sent via FTP (File Transfer Protocol) to a remote location.
Top
MonitoringTool:Win32/DrpuPcDataManager is a monitoring program that monitors user activities, such as key strokes typed, clipboard, screenshots, applications, system, time and sound activities. This information can then be logged, emailed or sent via FTP (File Transfer Protocol) to a remote location. Installation MonitoringTool:Win32/DrpuPcDataManager installs the following directories on the user's computer: %StartMenu%\Programs\DRPU PC Data Manager\ %Documents%\PC DM Files %ProgramFiles%\DRPU PC Data Manager MonitoringTool:Win32/DrpuPcDataManager then installs the following files on the user's computer: %Desktop%\DRPU PC Data Manager.lnk %StartMenu%\Programs\DRPU PC Data Manager\DRPU PC Data Manager.lnk %StartMenu%\Programs\DRPU PC Data Manager\Help.chm.lnk %StartMenu%\Programs\DRPU PC Data Manager\Uninstall.lnk %ProgramFiles%\DRPU PC Data Manager\apcdm.exe - detected as MonitoringTool:MSIL/Keylogger.C %ProgramFiles%\DRPU PC Data Manager\Help.chm %ProgramFiles%\DRPU PC Data Manager\Microsoft.Office.Interop.Excel.dll %ProgramFiles%\DRPU PC Data Manager\Pcdll.dll - detected as MonitoringTool:MSIL/Keylogger.C %ProgramFiles%\DRPU PC Data Manager\Setting.exe %ProgramFiles%\DRPU PC Data Manager\Setting.exe.manifest %ProgramFiles%\DRPU PC Data Manager\Shk.exe - detected as MonitoringTool:MSIL/Keylogger.C %ProgramFiles%\DRPU PC Data Manager\Shk.exe.manifest %ProgramFiles%\DRPU PC Data Manager\Uninstall.exe %ProgramFiles%\DRPU PC Data Manager\uninstall.ico %ProgramFiles%\DRPU PC Data Manager\Uninstall.txt %windir%\system\DRPUPCDM.lnk MonitoringTool:Win32/DrpuPcDataManager then makes the following changes to the registry: Adds the following subkeys: HKLM\SOFTWARE\DRPU Software Pvt. Ltd. HKLM\SOFTWARE\DRPU Software Pvt. Ltd.\DRPU PC Data Manager HKLM\SOFTWARE\DRPUPCDM HKLM\SOFTWARE\DRPUPCDM\Application HKLM\SOFTWARE\DRPUPCDM\Email HKLM\SOFTWARE\DRPUPCDM\Screenshots HKLM\SOFTWARE\DRPUPCDM\Setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DRPU PC Data Manager HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\apcdm.exe In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\apcdm.exe Sets value: <default> With data: "C:\\Program Files\\DRPU PC Data Manager\\apcdm.exe" Sets value: "Path" With data: "C:\\Program Files\\DRPU PC Data Manager" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "DRPU Pc Data manager" With data: "\"C:\\Program Files\\DRPU PC Data Manager\\apcdm.exe\" \"hd\"" Note: The following is a list of system variables that are determined by the malware by querying the Operating System: %Desktop% refers to C:\Users\Public\Desktop %Start Menu% refers to C:\ProgramData\Microsoft\Windows\Start Menu %Documents% refers to C:\Users\Public\Documents Execution Logs user activities MonitoringTool:Win32/DrpuPcDataManager is also known as "DRPU PC Data Manager"; its purpose is to monitor and log a user's key strokes, clipboard, screenshots, applications, system, time and sound activities. This information can then be logged, emailed, or sent via FTP to a remote location. MonitoringTool:Win32/DrpuPcDataManager also has the ability to hide itself from view so as it may go undetected by the affected user. The following directories store the recorded information at: %Documents%\PC DM Files\Images\ %Documents%\PC DM Files\Sound\ %Documents%\PC DM Files\<user name>\ where <user name> refers to the user's login name, for example: %Documents%\PC DM Files\Administrator
Analysis by Michael JohnsonLast update 10 November 2010
