Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.SpyGraphica

Spyware.SpyGraphica

Updated:
13 February 2007
Version:
3.1
Publisher:
cablehead software
Risk Impact:
High
File Names:
SpyGraphica.exe (installer),chm.exe,SpyGraphica.exe (main configuration manager),svchosts.exe
Systems Affected:
Windows

Behavior


Spyware.SpyGraphica is a program that logs keystrokes and takes snapshots on your computer.

Symptoms


One or more files are detected as Spyware.SpyGraphica.

Behavior


Spyware.SpyGraphica must be manually installed on your system.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 17 July 2004
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 21 July 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.SpyGraphica runs, it can:
  • Log keystrokes and screenshots.
  • Hide and unhide its tray icon.
  • Log transferring via email.

When Spyware.SpyGraphica runs, it does the following:
  1. Displays the installation instructions.

  2. Prompts for the installation folder. The default installation folder is C:\SpyGraphica.

    Note: We have developed the contents in the rest of this document under the assumption that you selected to install the Spyware on the default directory.

  3. Creates the following files:
    C:\SpyGraphica\lCap\chm.exe: Used for registration. Detected as Spyware.SpyGraphica.
    C:\SpyGraphica\lCap\dfr.abc
    C:\SpyGraphica\INSTALL.LOG: Installation information.
    C:\SpyGraphica\ReadMe.txt: Documentation.
    C:\SpyGraphica\SpyGraphica.exe: Main configurations application. Detected as Spyware.SpyGraphica.
    C:\SpyGraphica\SpyGraphica.exe.manifest: Spyware information.
    C:\SpyGraphica\svchosts.exe: Main logging application. Detected as Spyware.SpyGraphica.
    C:\SpyGraphica\UNWISE.EXE: Generic uninstaller.
    C:\Documents and Settings\Administrator\Start Menu\Programs\SpyGraphica\SpyGraphica.lnk: Start menu link.

  4. Creates the following files in %System% directory if they do not already exist:

    Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    Important:
    Other applications may use the following files. Microsoft provides many of the files. We advise that you do not erase these files.
    • WISE0001.DLL
    • OCXREG32.EXE
    • PROGRESS.DLL
    • W32INST.DLL
    • OLEAUT32.DLL
    • OLEPRO32.DLL
    • ASYCFILT.DLL
    • STDOLE2.TLB
    • MSVBVM60.DLL
    • REGSVR32.EXE
    • COMCAT.DLL
    • MFC42.DLL
    • MSVCRT40.DLL
    • MSCOMCTL.OCX
    • COMDLG32.OCX
    • VBAR332.DLL
    • RESTART.EXE
    • UNWISE32.EXE
    • GETCPU.DLL
    • MSCOMCTL.OCX
    • SSUBTMR6.DLL
    • SSUBTMR.DLL
    • DWSPY36.DLL
    • DWSHK36.OCX
    • CCRPTMR6.DLL
    • IJL11.DLL
    • GLABCORE.DLL
    • CCRPSLD.OCA
    • CCRPSLD.OCX
    • MSWINSCK.OCX
    • VBALGRID6.OCX
    • XPMENU.OCX
    • MSVCRT.DLL
    • MBPRGBAR.OCX
    • VBALIML6.OCX
    • SCRRUN.DLL

  5. Adds the value:

    "RegHelp" = "C:\SPYGRA~1\svchosts.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  6. Creates the following registry keys/values:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyGraphica Pro 3\DisplayName = "SpyGraphica Pro 3"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SpyGraphica Pro 3\UninstallString = "C:\SPYGRA~1\UNWISE.EXE C:\SPYGRA~1\INSTALL.LOG"
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\Path = "C:\SPYGRA~1\SpyGraphica.exe"
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\ShowWindow = "1"
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\Arguments = ""
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/SpyGraphica/INSTALL.LOG\Icons\1\WorkingDir = ""
    HKEY_LOCAL_MACHINE\Software\Windows\aAppString = "<string found in application to screen capture>"
    HKEY_LOCAL_MACHINE\Software\Windows\aDesktop = "<option for screen capture style>"
    HKEY_LOCAL_MACHINE\Software\Windows\aline = "<mail setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\ap = "C:\SPYGRA~1\svchosts.exe"
    HKEY_LOCAL_MACHINE\Software\Windows\CapAtBoot = "<option for starting capture at boot time>"
    HKEY_LOCAL_MACHINE\Software\Windows\cDelay = "<screen capture delay in milliseconds>"
    HKEY_LOCAL_MACHINE\Software\Windows\eDesktop = "<option for screen capture style>"
    HKEY_LOCAL_MACHINE\Software\Windows\f1 = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\f2 = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\flo = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Font = "<font of log>"
    HKEY_LOCAL_MACHINE\Software\Windows\fqual = "<capture quality>"
    HKEY_LOCAL_MACHINE\Software\Windows\Frunner = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Home = "C:\SPYGRA~1\svchosts.exe"
    HKEY_LOCAL_MACHINE\Software\Windows\Left = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Left2 = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Lrun = "<last run time>"
    HKEY_LOCAL_MACHINE\Software\Windows\madd = "<mailing address>"
    HKEY_LOCAL_MACHINE\Software\Windows\MD = "<disk options>"
    HKEY_LOCAL_MACHINE\Software\Windows\MDSpace = "<maximum disk space>"
    HKEY_LOCAL_MACHINE\Software\Windows\mEnabled = "<log mailing setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\mfreq = "<mailing frequency>"
    HKEY_LOCAL_MACHINE\Software\Windows\modem = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\msvr = "<mailing server>"
    HKEY_LOCAL_MACHINE\Software\Windows\nframes = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\ram = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\rtards = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Run = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\sApp = "<miscellaneous setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\SavePath = "<path to save logs>"
    HKEY_LOCAL_MACHINE\Software\Windows\sDelay = "<viewing delay in seconds>"
    HKEY_LOCAL_MACHINE\Software\Windows\Stealth = "<stealth options>"
    HKEY_LOCAL_MACHINE\Software\Windows\StopIfMax = "<maximum disk setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\ToolTip = "<warning message>"
    HKEY_LOCAL_MACHINE\Software\Windows\Top = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Top2 = "<positioning setting>"
    HKEY_LOCAL_MACHINE\Software\Windows\Xfor = "<encrypted password>"
    HKEY_LOCAL_MACHINE\Software\Windows\zMin = "<miscellaneous setting>"



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Uninstall Spyware.SpyGraphica.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Spyware.SpyGraphica.
  5. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.
  1. To update virus definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

  2. To uninstall Spyware
    1. Navigate to C:\SpyGraphica.
    2. Double-click UNWISE.EXE.

  3. To restart the computer in Safe mode
    Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, How to start the computer in Safe Mode.

  4. To scan for and delete the files
    1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, How to configure Norton AntiVirus to scan all files.
    2. Run a full system scan.
    3. If any files are detected as Spyware.SpyGraphica, click Delete.


      Note:
      If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file. If you ran the uninstallation process as described in the previous section, it is possible that all the files were removed, and therefore none will be detected.

  5. To delete the values from the registry

    Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
Note: This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.
  1. Click Start > Run.
  2. In the Open box, type: regedit
  3. Click OK.

  4. Navigate to the key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    In the right pane, delete the value:

    "RegHelp" = "C:\SPYGRA~1\svchosts.exe"

  5. Navigate to the key:
    HKEY_LOCAL_MACHINE\Software

    In the left pane, delete the subkey: Windows

    Important: Make sure that you do not delete the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

  6. Navigate to the key:
    HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair

    In the left pane, delete the subkey:

    C:/SpyGraphica/INSTALL.LOG

  7. Exit the Registry Editor.