Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.DSpy

Spyware.DSpy

Updated:
13 February 2007
Version:
4.0
Publisher:
Alpine Snow
Risk Impact:
High
File Names:
DSPY_demo.exe,DSPY.exe,Config.exe
Systems Affected:
Windows

Behavior


Spyware.DSpy is a program that takes screenshots on your computer.

Symptoms


The files are detected as Spyware.DSpy.

Behavior


Spyware.DSpy must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 15 July 2004
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 15 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.DSpy is a screen capture program.

When Spyware.DSpy is installed, it does the following:
  1. Allows the choice of the installation folder. The default installation folder is %ProgramFiles%\DS.

    Note:
    %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.

  2. Allows the choice of the Start Menu folder. The default is Desktop Spy 4.0.

  3. Creates the following folders and files:
    • %ProgramFiles%\DS\UNWISE.EXE: Generic uninstaller.
    • %System%\ijl11.dll: Intel JPEG Library.
    • %System%\msvbvm60.dll: Microsoft Visual Basic Virtual Machine Library.
    • %ProgramFiles%\DS\DSPY.exe: Screenshot logger, detected as Spyware.DSpy.
    • %ProgramFiles%\DS\ijl11.dll: Intel JPEG Library.
    • %ProgramFiles%\DS\Config.exe: Screenshot logger manager/viewer, detected as Spyware.DSpy.
    • %ProgramFiles%\DS\DSPY.cnt: The help file uses this.
    • %ProgramFiles%\DS\Dspy.hlp: Help file.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\Desktop Spy 4.0\Desktop Spy Configuration.lnk: Start menu link.
    • C:\Documents and Settings\Administrator\Start Menu\Programs\Desktop Spy 4.0\Desktop Spy Help.lnk: Start menu link.
    • %ProgramFiles%\DS\INSTALL.LOG: Installation information.
    • C:\Windows\DHPY\: Log files.

      Note: %System% is a variable. The worm locates the System folder and copies the files to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  4. Adds the value:

    "DHPY" = "%ProgramFiles%\DS\DSPY.EXE"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  5. Adds the following registry keys and values:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Spy 4.0\DisplayName = "Desktop Spy 4.0"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Spy 4.0\UninstallString = "C:\PROGRA~1\DS\UNWISE.EXE C:\PROGRA~1\DS\INSTALL.LOG"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Change = "0"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Close = ""
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default01 = "1"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default02 = "6"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default03 = "10"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default04 = "Picture"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default05 = "C:\Windows\DHPY"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default06 = ".JPG"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default07 = "1"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default08 = "1"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Default09 = "50000"
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\LockKey = ""
    • HKEY_LOCAL_MACHINE\Software\Microsoft\NKJBMP\Password = "0"
    • HKEY_LOCAL_MACHINE\Software\NGBDefault = "B2AC12BF"

  6. Adds the following registry keys/values:
    • HKEY_CLASSES_ROOT\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\(Default) = "VBPropertyBag"
    • HKEY_CLASSES_ROOT\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\(Default) = "%System%\msvbvm60.dll"
    • HKEY_CLASSES_ROOT\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InProcServer32\ThreadingModel = "Apartment"
    • HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\6.0\9\win32\(Default) = "%System%\msvbvm60.dll"
    • HKEY_CLASSES_ROOT\TypeLib\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\(Default) = "%System%\msvbvm60.dll\3"
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\VBRuntime\EventMessageFile = "%System%\msvbvm60.dll"
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\VBRuntime\TypesSupported = "0x4"

      to set up the Visual Basic environment required for running the Spyware.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Uninstall Spyware.DSpy.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Spyware.DSpy.
  5. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the spyware
  1. Navigate to %ProgramFiles%\DS.
  2. Double-click UNWISE.EXE.

3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode . "

4. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.DSpy, click Delete.

    Notes:
  • If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
  • If you ran the Add/Remove programs applet as described in the previous section, all the files may have been removed, and thus none of them will be detected.


5. To delete the values from the registry

Important:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.


Note:
This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

  4. In the left plane, delete the subkey:

    Desktop Spy 4.0

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft

  6. In the left plane, delete the subkey:

    NKJBMP

  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  8. In the right plane, delete the value:

    "DHPY" = "C:\PROGRAM FILES\DS\DSPY.EXE"

  9. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software

  10. In the left plane, delete the value:

    "NGBDefault" = "B2AC12BF"

  11. Exit the Registry Editor.

  12. Restart the computer in Safe mode.