Content
PWCrack-Winspy
- Type
- Program
- SubType
- Malware Tool
- Discovery Date
- 04/13/2006
- Length
- Minimum DAT
- 4740 (04/13/2006)
- Updated DAT
- 5440 (11/20/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 04/13/2006
- Description Modified
- 05/30/2008 9:21 AM (PT)
Tab Navigation
Characteristics
PWCrack-Winspy provides several functionalities aiming to spy on user activities. In particular, it registers keystrokes, records visited URLs, can take screenshots and hides itself. It can also automatically send collected data to a pre-configured email address.
The administration interface can be shown by pressing a predefined set of keys. It is protected by a login name and password.
PWCrack-Winspy doesn’t appear in the Windows Task Manager nor in the installed programs list.
PWCrack-Winspy creates the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\FH
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\KA
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\US
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\WM
It also hides itself and prevents user to modify folders properties by adding the following value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- "NoFolderOptions" = “01000000”
Symptoms
Method of Infection
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
PWCrack-Winspy provides several functionalities aiming to spy on user activities. In particular, it registers keystrokes, records visited URLs, can take screenshots and hides itself. It can also automatically send collected data to a pre-configured email address.
The administration interface can be shown by pressing a predefined set of keys. It is protected by a login name and password.
PWCrack-Winspy doesn’t appear in the Windows Task Manager nor in the installed programs list.
PWCrack-Winspy creates the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\FH
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\KA
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\US
- HKEY_LOCAL_MACHINE\SOFTWARE\IPANEMA\WM
It also hides itself and prevents user to modify folders properties by adding the following value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- "NoFolderOptions" = “01000000”
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
