Spyware.CyberPredator

Spyware.CyberPredator

Updated:
July 13, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.CyberPredator is a security risk that can monitor and log HTTP, FTP and email network activity.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version July 13, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date July 19, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.CyberPredator is a security risk that can monitor and log HTTP, FTP and email network activity.

When Spyware.CyberPredator is executed, it creates the following files:
%UserProfile%\Start Menu\Programs\Cyber Predator\Cyber Predator - Data Collector Configuration Program.lnk
%UserProfile%\Start Menu\Programs\Cyber Predator\Cyber Predator - Management Console.lnk
%UserProfile%\Start Menu\Programs\Cyber Predator\Cyber Predator - Online Help.lnk
%UserProfile%\Start Menu\Programs\Cyber Predator\Cyber Predator - Real Time Violation Console.lnk
%ProgramFiles%\Cyber Predator\cparchive.exe
%ProgramFiles%\Cyber Predator\cphelp.chm
%ProgramFiles%\Cyber Predator\CPMC.exe
%ProgramFiles%\Cyber Predator\CPRTDC.exe
%ProgramFiles%\Cyber Predator\cprtdc.ini
%ProgramFiles%\Cyber Predator\cprtdcsu.exe
%ProgramFiles%\Cyber Predator\CPRTVC.exe
%ProgramFiles%\Cyber Predator\dbe.exe
%ProgramFiles%\Cyber Predator\INSTALL.LOG
%ProgramFiles%\Cyber Predator\override.blk
%ProgramFiles%\Cyber Predator\rep-ftp.reg
%ProgramFiles%\Cyber Predator\reports.reg
%ProgramFiles%\Cyber Predator\static.blk
%ProgramFiles%\Cyber Predator\UNWISE.EXE
%ProgramFiles%\Cyber Predator\Logs\CP[DATE].LOG
%ProgramFiles%\Cyber Predator\Logs\MC[DATE].LOG
%ProgramFiles%\Cyber Predator\Database\cp.ldb
%ProgramFiles%\Cyber Predator\Database\cp.mdb
%ProgramFiles%\Cyber Predator\Email

The security risk also creates the following non malicious files:
%System%\Cfx4032.ocx
%System%\Pcandis4.sys
%System%\Pcandis5.sys
%System%\SfxBar.dll
%System%\W32N50.dll

it creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cyber Predator V2.0
HKEY_ALL_USERS\Software\Ingenuity (UK) Ltd\Cyber Predator
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CYBERPREDATORRTDC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\CyberPredatorRTDC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CyberPredatorRTDC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\CyberPredatorRTDC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CYBERPREDATORRTDC
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Cyber Predator

It then adds the following registry subkey so that it runs as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CyberPredatorRTDC

It also creates the following non malicious registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6120-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6121-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6122-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6123-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6125-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6126-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6127-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179B6128-3BEA-11d1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{608E8B11-3690-11D1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F37C431-98F3-11d1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F37C432-98F3-11d1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F37C433-98F3-11d1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F37C434-98F3-11d1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F37C435-98F3-11d1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F37C436-98F3-11d1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266C1-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266C2-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266C3-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266C4-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266D1-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266D2-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266D3-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D3266D4-745C-11D0-9223-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5DECA4E0-3B4F-11D1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{608E8B10-3690-11D1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A906AC2-BE4B-11D1-B134-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F37C448-98F3-11D1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F37C449-98F3-11D1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F37C44C-98F3-11D1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F37C44D-98F3-11D1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F37C44F-98F3-11D1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6AA700-D188-11CD-AD48-00AA003C9CB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A24604BA-C27F-11D1-9C4E-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5688691-E6B0-11D1-89B0-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EDBC92F0-B34C-11D1-B134-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F3743560-454E-11D1-8FD4-00AA00BD091C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8996B0A4-D7BE-101B-8650-00AA003A5593}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9F37C430-98F3-11D1-9C3B-00A0244D2920}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.AxesPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.AxesPage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.AxisScale
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.AxisScale.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.Chart
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.Chart.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.ConstantStripesPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.ConstantStripesPage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.FillBorderPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.FillBorderPage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.GeneralPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.GeneralPage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.GridLinesPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.GridLinesPage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.LabelsPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.LabelsPage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.Page3D
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChartFX.Page3D.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SfxBar.CommandBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SfxBar.CommandBar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SfxBar.ToolBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SfxBar.ToolBar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SfxBar.ToolCombo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SfxBar.ToolCombo.1
HKEY_LOCAL_MACHINE\SOFTWARE\Software FX, Inc.\Chart FX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCANDIS5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCANDIS5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCANDIS5
HKEY_ALL_USERS\Software\Microsoft\Multimedia\DrawDib
HKEY_ALL_USERS\Software\Microsoft\Multimedia\Video For Windows
HKEY_ALL_USERS\Software\Microsoft\Multimedia\Video For Windows\MCIAVI
HKEY_ALL_USERS\Software\Software FX, Inc.\Chart FX

Spyware.CyberPredator can log all network activity regarding HTTP, FTP and email in a LAN. It can block network traffic with contents that match a configurable list of banned words or URLs. It can log URLs visited, FTP addressess accessed including username and password, email sent and received including subject and destination address. This security risk does not need to be installed on monitored computers, it just needs to be installed on a machine in the LAN, and it will listen to network traffic in promiscuous mode in order to perform logging and blocking actions.