Spyware.WebSnitch

Spyware.WebSnitch

Updated:
June 23, 2006
Systems Affected:
Windows

Behavior

Spyware.Websnitch is a Spyware program that steals confidential information by logging keystrokes and capturing screenshots. The gathered information can be sent to a predetermined email address or ftp account.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version June 23, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date June 28, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.Websnitch is a Spyware program that steals confidential information by logging keystrokes and capturing screenshots. The gathered information can be sent to a predetermined email address or ftp account.

When the program is executed, it creates the following files:
C:\Documents and Settings\Administrator\Recent\WebSnitch.txt.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebSnitch v3.0\Install default settings.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebSnitch v3.0\License.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebSnitch v3.0\Logs Viewer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebSnitch v3.0\Read user manual.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebSnitch v3.0\Visit Our Website.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WebSnitch v3.0\WebSnitch v2.0.lnk
C:\Program Files\WebSnitch v3.0\DEFAULTS.REG
C:\Program Files\WebSnitch v3.0\IJL15.DLL
C:\Program Files\WebSnitch v3.0\license.txt
C:\Program Files\WebSnitch v3.0\mscomctl.ocx
C:\Program Files\WebSnitch v3.0\mswinsck.ocx
C:\Program Files\WebSnitch v3.0\TABCTL32.OCX
C:\Program Files\WebSnitch v3.0\unins000.dat
C:\Program Files\WebSnitch v3.0\unins000.exe
C:\Program Files\WebSnitch v3.0\viewer.exe
C:\Program Files\WebSnitch v3.0\websnitch.chm
C:\Program Files\WebSnitch v3.0\websnitch.exe
C:\Program Files\WebSnitch v3.0\www.websnitch[1]
C:\Program Files\WebSnitch v3.0\xshld8248.tmp
C:\Windows\WEBSNITCH.LIC

Next, the program creates the following registry entry so that the risk runs whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WebSnitch" = ""

The program creates the following registry subkeys:
HKEY_USERS\S-1-5-21-1796476394-1578718373-1210581722-500\Software\VB and VBA Program Settings\WebSnitch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSnitch v3.0_is1


The program alters the registry value of the key
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "31"

The program also utilises port 21 to perfom ftp traffic.
Writeup By: ICC Software