Spyware.PrintMonitor

Spyware.PrintMonitor

Updated:
July 03, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.PrintMonitor is spyware that monitors printer activity.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version July 03, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date July 05, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.PrintMonitor is spyware that monitors printer activity.

When the risk is first executed, it creates the following files:
%UserProfile%\Desktop\SpyArsenal Print Monitor.lnk
%UserProfile%\Start Menu\Programs\SpyArsenal Print Monitor\SpyArsenal Print Monitor.lnk
%ProgramFiles%\SpyArsenal Print Monitor\pm32.dll
%ProgramFiles%\SpyArsenal Print Monitor\pm32.exe
%ProgramFiles%\SpyArsenal Print Monitor\pm32.rep
%ProgramFiles%\SpyArsenal Print Monitor\RVPM32.exe
%ProgramFiles%\SpyArsenal Print Monitor\Uninstall.exe
%System%\msxmlr.dat
%UserProfile%\Start Menu\Programs\SpyArsenal Print Monitor Pro\SpyArsenal Print Monitor Pro.lnk
%ProgramFiles%\SpyArsenal Print Monitor Pro\license.txt
%ProgramFiles%\SpyArsenal Print Monitor Pro\PMPro32.dll
%ProgramFiles%\SpyArsenal Print Monitor Pro\pmpro32.exe
%ProgramFiles%\SpyArsenal Print Monitor Pro\PMPro32.rep
%ProgramFiles%\SpyArsenal Print Monitor Pro\RVPMPro32.exe
%ProgramFiles%\SpyArsenal Print Monitor Pro\Uninstall.exe

The risk creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyArsenal-Print-Monitor
HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\SpyArsenal-Print-Monitor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\SpyArsenal Print Monitor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyArsenal-Print-Monitor-Pro
HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\SpyArsenal-Print-Monitor-Pro

The risk creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\"System Date Change Enabled" = "[VALUE DEPENDS ON INSTALLATION DATE]"

The risk creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"PMPro32" = "%ProgramFiles%\SpyArsenal Print Monitor Pro\pmpro32.exe"

The risk creates the following folder to be used to store copies of the documents being sent to the printer:
%ProgramFiles%\SpyArsenal Print Monitor Pro\Documents

The risk can log any printer use and can save the documents being printed locally.

The risk uses some basic rootkit technologies to run in full stealth mode, hiding its own folder and autorun registry key.

A hotkey can be used to popup the main user interface, and a password can be configured so that only the administrator can access the program data.

The risk can also send logs periodically via email or via FTP to an email account or FTP site configured by the user.

NOTE: The security risk exists in two versions:
Lite version: SpyArsenal Print Monitor
Full Version: SpyArsenal Print Monitor Pro
The lite version only logs printer usage. It does not save copies of the printed document, it does not have any stealth features, it does not have the capability to send logs via email or ftp.
The full version has all the features described above.
`