WALI

Posted: March 28, 2006

WALI is a commercial PC surveillance tool designed to record all user keystrokes, take screenshots, log Internet Explorer activity and capture online chat conversations. WALI saves logs to a hard disk. The application must be manually installed. It secretly runs on every Windows startup.

File System Modifications

The following files were created in the system:

# File Name

1 services.exe

2 wali.dll

3 walimain.exe

#	File Name
1	services.exe
2	wali.dll
3	walimain.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_CURRENT_USERSoftwareVBandVBAProgramSettingsWALIHKEY_LOCAL_MACHINESOFTWAREClassesRICHTEXT.RichtextCtrlHKEY_LOCAL_MACHINESOFTWAREClassesRICHTEXT.RichtextCtrl.1HKEY_LOCAL_MACHINESOFTWAREClassesUNIPro.uUNIProHKEY_LOCAL_MACHINESOFTWAREClassesWALI.cWALIRunHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWSVCSHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWindowsActivityLoggingInterface_is1
The following CLSID's were detected:
HKEY..\..\{CLSID Path}ADB880A6-D8FF-11CF-9377-00AA003B7A118FB10DD5-CC4F-4D5C-B8E9-E45BE911DE2A3B7C8863-D78F-101B-B9B5-04021C00940206FFEF32-4765-4123-8C34-2DFE4FB38976F51CF22E-E6B3-498F-A9A5-80E80E9E06BDED117630-4090-11CF-8981-00AA00688B10E9A5593C-CAB0-11D1-8C0B-0000F8754DA1C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1BA6AF311-61FA-468B-BB20-303BFA6B6C6B859321D0-3FD1-11CF-8981-00AA00688B10521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F53B7C8862-D78F-101B-B9B5-04021C0094022A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8BDC217C5-ED16-11CD-956C-0000C04E4C0AB617B991-A767-4F05-99BA-AC6FCABB102EAFC634B0-4B8B-11CF-8989-00AA00688B1093AAC05D-B974-4770-A9EE-92EFE7A59A857DA06D40-54A0-11CF-A521-0080C77A778678E5A540-1850-11CF-9D53-00AA003C9CB668ACC1A8-CFFC-4163-8767-026232DB269741B23C28-488E-4E5C-ACE2-BB0BBABE99E83B7C8860-D78F-101B-B9B5-04021C009402

Diwali

WALI

File System Modifications

Registry Modifications

Related Posts

Leave a Reply