Home / malware MonitoringTool:Win32/Spector
First posted on 15 February 2019.
Source: MicrosoftAliases :
MonitoringTool:Win32/Spector is also known as Spector, Spyware.Spector, ADW_SPECTORSOFT.
Explanation :
MonitoringTool:Win32/Spector is an application that logs keystrokes, e-mails, visited Web sites, IM chats, run programs, peer-to-peer activity, and may also take snapshots of the user's desktop. It can be run in stealth mode, so the user is unaware of being monitored. It can be brought to the user's attention if the user presses CTRL+ALT+SHIFT+S. InstallationUpon execution, it creates randomly-named DLL and EXE files in the Windows system folder, for example:
vnwkgdi.dll
wswinntfp.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It may also create other files with varying extensions within the Windows system folder. These files have the same file name as the dropped EXE file, for example:
wswinntfp.hlp
wswinntfp.cnt It may also drop the following file in the Windows system folder:
oboex32.dll It registers its dropped DLL file by creating subkeys under the following key:
HKCRCLSIDwhere is a CLSID randomly-generated by this tool, for example:
HKCRCLSID{01033863-FC53-4E72-9B76-A5E4EFD81EA3}
HKCRCLSID{0B344580-56DA-11d2-B28F-444553540000}InterfaceNetwork
HKCRCLSID{CB8DE863-0561-4ffd-9B86-5BA2E941BA52}OLEShellCommandsshellfolder
HKCRCLSID{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}InprocServer32 It may also create the subfolder 'netext' or 'netutil' in the Windows system folder. Analysis by Patrik VicolLast update 15 February 2019