Employee Watcher

Posted: March 28, 2006

Employee Watcher is a complex commercial malware product that monitors user activity, records keystrokes, takes screenshots, captures chat conversations and e-mail messages. The application sends gathered data to a configurable e-mail address. Employee Watcher must be manually installed. It comes with the uninstaller, but is quite difficult to detect and remove. It runs on every Windows startup.

File System Modifications

The following files were created in the system:

# File Name

1 csrss.ex

2 csrss.exe

3 employeewatcher[XVS]uninstaller.exe

4 initializer.exe

5 smss.exe

6 svchost.exe

7 uninstaller.exe

#	File Name
1	csrss.ex
2	csrss.exe
3	employeewatcher[XVS]uninstaller.exe
4	initializer.exe
5	smss.exe
6	svchost.exe
7	uninstaller.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOTANSMTP.OBJHKEY_CLASSES_ROOTANSMTP.OBJ.1HKEY_CLASSES_ROOTInetCtls.InetHKEY_CLASSES_ROOTInetCtls.Inet.1HKEY_CLASSES_ROOTMabry.CPingXPropPageHKEY_CLASSES_ROOTMabry.CPingXPropPage.1HKEY_CLASSES_ROOTMabry.PingXHKEY_CLASSES_ROOTMabry.PingX.1HKEY_CLASSES_ROOTMabry.PingXComHKEY_CLASSES_ROOTMabry.PingXCom.1HKEY_CLASSES_ROOTaxsCaptureScrn.axsCapScreenHKEY_CLASSES_ROOTdwshk36.HookPageHKEY_CLASSES_ROOTdwshk36.HookPage.1HKEY_CLASSES_ROOTdwshk36.KeyListHKEY_CLASSES_ROOTdwshk36.KeyList.1HKEY_CLASSES_ROOTdwshk36.KeyPageHKEY_CLASSES_ROOTdwshk36.KeyPage.1HKEY_CLASSES_ROOTdwshk36.MsgListHKEY_CLASSES_ROOTdwshk36.MsgList.1HKEY_CLASSES_ROOTdwshk36.RegMsgHKEY_CLASSES_ROOTdwshk36.RegMsg.1HKEY_CLASSES_ROOTdwshk36.WinHookHKEY_CLASSES_ROOTdwshk36.WinHook.6HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunWinUpdateProtectionHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWinUpdateProtection
The following CLSID's were detected:
HKEY..\..\{CLSID Path}DE6317F7-6EF0-45C2-88D1-8E09415817F148E59290-9880-11CF-9754-00AA00C009083B7C8863-D78F-101B-B9B5-04021C009402389B19AA-9A87-11D1-B77F-00001C1AD1F81FAA49C4-16B7-4D28-8930-31BE1810D9430A4AFE1D-F664-11D0-B649-00001C1AD1F80468C941-83E2-11D3-BE51-00C0DFC2E32C0468C933-83E2-11D3-BE51-00C0DFC2E32CF7C1A3FA-C511-488A-B583-4F153B9368C4ED117630-4090-11CF-8981-00AA00688B10E9A5593C-CAB0-11D1-8C0B-0000F8754DA1D937A3C0-8634-11D3-BE51-00C0DFC2E32CB78B0E98-0431-4A6B-8C3D-F240FE8725F5AB14F05E-4C1D-49DC-8BD5-9E6B510B3EBAA834857C-9A90-11D1-B77F-00001C1AD1F8A5F6C90C-ABE4-4C57-A421-8C5A202AA9F88B8BB3A3-8576-11D3-BE51-00C0DFC2E32C8B8BB3A1-8576-11D3-BE51-00C0DFC2E32C859321D0-3FD1-11CF-8981-00AA00688B1068B8DCDB-EFA4-420A-BB8A-71B9892A206348E59292-9880-11CF-9754-00AA00C0090848E59291-9880-11CF-9754-00AA00C009083E3621C0-8635-11D3-BE51-00C0DFC2E32C3B7C8862-D78F-101B-B9B5-04021C009402389B19B7-9A87-11D1-B77F-00001C1AD1F80468C951-83E2-11D3-BE51-00C0DFC2E32C0468C94F-83E2-11D3-BE51-00C0DFC2E32CDE5C2449-65D5-4413-BFCF-6BFCDF294665AFC634B0-4B8B-11CF-8989-00AA00688B108B8BB3A2-8576-11D3-BE51-00C0DFC2E32C855C49A7-9C3C-11D1-B784-00001C1AD1F878E5A540-1850-11CF-9D53-00AA003C9CB66E29B982-9C50-11D1-B784-00001C1AD1F86E29B981-9C50-11D1-B784-00001C1AD1F848E59295-9880-11CF-9754-00AA00C0090848E59294-9880-11CF-9754-00AA00C0090848E59293-9880-11CF-9754-00AA00C009083B7C8860-D78F-101B-B9B5-04021C009402389B19B9-9A87-11D1-B77F-00001C1AD1F82C704DBB-9C46-11D1-B784-00001C1AD1F8253664FB-EDFC-4AC6-BD69-B322F466AEED22B4C8F5-A686-42CC-8224-E4817445109F0468C950-83E2-11D3-BE51-00C0DFC2E32C

Employee Watcher

File System Modifications

Registry Modifications

Leave a Reply