Analysis by: Rika Joi Gregorio
ALIASES:

MonitoringTool:Win32/SnoopIt, MonitoringTool:Win32/ThePCDetective, Backdoor:Win32/Pasur!rts(Microsoft), Win32/Monitor.SniperSpy application, Win32/PCDetective.C application, Win32/Optix.Pro.13 trojan(Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


  TECHNICAL DETAILS

Tamaño del archivo 2,239,559 bytes
Tipo de archivo EXE
Residente en memoria No
Fecha de recepción de las muestras iniciales 07 Apr 2011

Installation

This spyware drops the following component file(s):

  • %Program Files%\Retina-X Studios\AceSpy\contlist.ndx
  • %Program Files%\Retina-X Studios\AceSpy\keylist.ndx
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\acecache\_ace03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\appcache\_app03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\eventcache\_event03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache\key20130320055357.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache\KeyLog03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache\scr03202013055355.jpg
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache\scrlog03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\wincache\app03202013.log
  • %Program Files%\Retina-X Studios\AceSpy\urlfname.ndx
  • %Program Files%\Retina-X Studios\AceSpy\userlist.ndx
  • %Program Files%\Retina-X Studios\AceSpy\winlist.ndx

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • {All User's Profile}\Start Menu\Programs\AceSpy
  • %Program Files%\Retina-X Studios
  • %Program Files%\Retina-X Studios\AceSpy
  • %Program Files%\Retina-X Studios\AceSpy\LOGS
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\acecache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\appcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\clipcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\emailcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\eventcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\iecache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\keycache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\msgcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\prncache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\recentcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\scrcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\taskcache
  • %Program Files%\Retina-X Studios\AceSpy\LOGS\wincache

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\VnSI4H Softwares

HKEY_CURRENT_USER\Software\VnSI4H Softwares\
StealthAPIs

HKEY_LOCAL_MACHINE\SOFTWARE\RXS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mchInjDrv

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\RXS
thePassword = "{password}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mchInjDrv
ImagePath = "\??\%User Temp%\mc2B.tmp"