Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.TrueActive

Spyware.TrueActive

Updated:
13 February 2007
Version:
5.0
Publisher:
TrueActive
Risk Impact:
High
File Names:
_.exe,tamset.exe,sem.dll,winsdoc.dll,winlogon.exe
Systems Affected:
Windows

Behavior


Spyware.TrueActive is the commercial keylogger TrueActive Monitor. Formerly known as WinWhatWhere Investigator, TrueActive Software published this spyware.

The spyware has a comprehensive suite of system monitoring tools including, keystroke, password, instant messaging, video/screen capture, and network usage logging. It can also operate in silent mode and can also use email to send logs to a remote observer.

Also see the Spyware.WinWhatWhere writeup for more information.


Symptoms


One or more files is detected as Spyware.TrueActive.

Behavior


Spyware.TrueActive must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 14 September 2004
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 15 September 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.TrueActive is run, it does the following:
  1. Creates the following files:
    • %System%\_ISource2.dll (Smaller Animals Software image processing library)
    • %System%\ADACschd.dll (ADAC scheduling library)
    • %System%\comctl32.dll (Microsoft ActiveX control)
    • %System%\comdlg32.ocx (Microsoft ActiveX control)
    • %System%\dweasy36.ocx (Desaware Spyworks hook control)
    • %System%\dwshk36.ocx (Desaware Spyworks hook control)
    • %System%\dwspy36.dll (Desaware Spyworks hook control)
    • %System%\dwspy5.dll (Desaware Spyworks hook control)
    • %System%\dwspyvb6.dll (Desaware Spyworks hook control)
    • %System%\exemail.dll (Exontrol Inc. SMTP mail library)
    • %System%\imgx4.dll (Designer Controls Inc. imaging library)
    • %System%\mscomct2.ocx (Microsoft ActiveX control)
    • %System%\mscomctl.ocx (Microsoft ActiveX control)
    • %System%\msjt3032.dll (Microsoft library)
    • %System%\pt2.exe (win9x specific file)
    • %System%\qpro32.dll (Progress Software Quickpak directory check library)
    • %System%\regadd.exe (registry related file)
    • %System%\spr32x60.ocx (FarPoint Technologies ActiveX control)
    • %System%\sscala32.ocx (Calendar Widgets date and time ActiveX control)
    • %System%\vb5db.dll (Microsoft VB 5 library)
    • %System%\vb6chs.dll (Microsoft VB 6 simplified Chinese library)
    • %System%\vb6cht.dll (Microsoft VB 6 traditional Chinese library)
    • %System%\vb6de.dll (Microsoft VB 6 German library)
    • %System%\vb6es.dll (Microsoft VB 6 Spanish library)
    • %System%\vb6fr.dll (Microsoft VB 6 French library)
    • %System%\vb6it.dll (Microsoft VB 6 Italian library)
    • %System%\vb6jp.dl (Microsoft VB 6 Japanese library)
    • %System%\vb6ko.dll (Microsoft VB 6 Korean library)
    • %System%\videoocx.ocx (Vision Pearls video capture ActiveX control)
    • %System%\vsocx6.ocx (VideoTeam video capture ActiveX control)
    • %System%\xcdzip35.ocx (compression library)
    • %System%\_.exe (program starter detected as Spyware.TrueActive)
    • %DocumentsandSettings%\All Users\Application Data\TAM\gl8412.dll (TrueActive Monitor settings file)
    • %DocumentsandSettings%\All Users\Application Data\TAM\0001.sys (a windows registry *.reg file)
    • %DocumentsandSettings%\All Users\Application Data\TAM\0003.sys (a windows registry *.reg file)
    • %DocumentsandSettings%\All Users\Application Data\TAM\0004.sys (a windows registry *.reg file)
    • %DocumentsandSettings%\All Users\Application Data\TAM\0005.sys (a Microsoft Installer *.msi file related to TrueActive Monitor's installation)
    • %DocumentsandSettings%\All Users\Application Data\TAM\il40.exe (standard jet format database, renamed *.mdb Microsoft Access file, same file as
    • w84.dat)
    • %DocumentsandSettings%\All Users\Application Data\TAM\ree.exe (removes uninstall information)
    • %DocumentsandSettings%\All Users\Application Data\TAM\sem.dll (log encryption and sending library detected as Spyware.TrueActive)
    • %DocumentsandSettings%\All Users\Application Data\TAM\tamset.sys (a Microsoft Installer *.msi file related to TrueActive Monitor's installation)
    • %DocumentsandSettings%\All Users\Application Data\TAM\tamtest.exe (checks for certain libraries)
    • %DocumentsandSettings%\All Users\Application Data\TAM\tamupd.exe (checks for certain libraries)
    • %DocumentsandSettings%\All Users\Application Data\TAM\tamx1.dll (SysInternals pcexesvc backdoor remote control library)
    • %DocumentsandSettings%\All Users\Application Data\TAM\tamx2.dll (SysInternals pslist process information library)
    • %DocumentsandSettings%\All Users\Application Data\TAM\tamx3.dll (TrueActive Monitor simple function library)
    • %DocumentsandSettings%\All Users\Application Data\TAM\updsem.exe (checks for certain libraries)
    • %DocumentsandSettings%\All Users\Application Data\TAM\winsdoc.dll (anti anti-spyware/registration library detected as Spyware.TrueActive)
    • %DocumentsandSettings%\All Users\Application Data\TAM\zw84.dat (standard jet format database, renamed *.mdb Microsoft Access file, same file as il40.exe)
    • %ProgramFiles%\TAM\tamrpt.exe (report viewer)
    • %ProgramFiles%\TAM\tamset.exe (executable, runs silently, logging detected as Spyware.TrueActive)
    • %Windir%\winlogon.exe (main logger, detected as Spyware.TrueActive)

      Notes:
      • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      • %DocumentsandSettings% is a variable that refers to the Documents and Settings folder. By default, this is C:\Documents and Settings.
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Modifies one of these values:

    "<randomly chosen value>"="<path\file name>"

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    to:

    "<randomly chosen value>"="<_ path\file name>

    which causes the %System%\_.exe file to be executed each time that windows starts. This will cause _.exe to run TrueActive Monitor, and after that, launch the program that was originally set up to run.


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan.
  3. Reverse the change made to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To run the scan
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.TrueActive and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support Security Risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Security Risk detection, and Security Risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
    • Exclude (Not recommended): If you click this button, it will set the threat so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

    • Ignore or Skip: This option tells the scanner to ignore the threat for this scan only. It will be detected again the next time that you run a scan.

    • Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the threat for this scan only, and thus, the threat will be detected again the next time that you run a scan.

      To actually delete the security risk:
      • Click its file name (under the Filename column).
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

        If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.

    • Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
      • If you see a message, "Delete Failed" (or similar message), manually delete the file.
      • Click the file name of the threat that is under the Filename column.
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

        If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.


3. To reverse the change made to the registry

Important:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, in the Data column, look for a path and file name that begins with an underscore, for example:

    _ C:\Program Files\Program Folder\File Name.exe

  5. Double-click the value Name and remove the leading underscore and space.
  6. Exit the Registry Editor.

4. To delete the remaining files and folders
  1. Navigate to and delete the folders %ProgramFiles%\TAM and %DocumentsandSettings%\All Users\Application Data\TAM and any files that they contain.
  2. Navigate to the %System% folder and delete any of the .dll files shown below if you are sure that other programs are not using them. (If you are not sure, you should not delete them):

    %System%\_ISource2.dll
    %System%\ADACschd.dll
    %System%\dweasy36.ocx
    %System%\dwshk36.ocx
    %System%\dwspy36.dll
    %System%\dwspy5.dll
    %System%\dwspyvb6.dl
    %System%\exemail.dll
    %System%\imgx4.dll
    %System%\pt2.exe
    %System%\qpro32.dll
    %System%\regadd.exe
    %System%\spr32x60.ocx
    %System%\sscala32.ocx
    %System%\videoocx.ocx
    %System%\vsocx6.ocx
    %System%\xcdzip35.ocx

    Deleting the Microsoft-related files, mentioned above in the "Technical Details" section, is likely to affect other software on your computer. We do not recommend deleting these files unless you are certain that they are not required.