Spy/XWodiSpy!WinCE

Release DateSep 07, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • The following files and folder exist:
    • \Program Files\Setup\
    • \Windows\servc1e.exe
    • \Windows\servcie.exe
    • \Windows\monitor.exe

    Detailed Analysis

    This is a "commercial" Spyware tool, allowing for remote monitoring of a mobile device.

    It must be noted that proper installation requires physical access to the targeted device. Indeed, when run the first time, the user is prompted with the InstallCode / MonitoredPhoneNumber pair generated when buying the tool online.

    It can be activated with the correct InstallCode, and can also be stopped (Fig. 1).






    Figure 1: Activate/Stop





    Technical Details


    The spyware installation package is a CAB file.
    The following files and folder exist:
    • \Program Files\Setup\
    • \Windows\servc1e.exe
    • \Windows\servcie.exe
    • \Windows\monitor.exe
    It executes the dropped files and uses Windows API FindWindowW("WIN_CE_CLS","Service") to ensure its service is started.
    The Spyware creates the file servcie.lnk  under \Windows\StartUp folder with following content:
    • 22#"\Windows\servcie.exe"

    It checks the following registry entries:
    • key: KEY_CURRENT_USER\Control Panel\Desktop
    • value:ResourceLocale
    • key: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • value:NoRun
    • value:NoDrives
    • value:RestrictRun
    • value:NoNetConnectDisconnect
    • value:NoRecentDocsHistory
    • value:NoClose
    • key: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
    • value:NoEntireNetwork
    • key: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
    • value:NoPlacesBar
    • value:NoBackButton
    • value:NoFileMru
    It creates two hidden windows with (ClassName, WindowName) pair, that is ("WIN_CE_CLS","Service") and ("MONITOR", "Monitor"). It creates the following Mutex:
    • {9A4A025C-FFD3-4064-9FF7-D21022458A0B}
    If its main window is not start up properly, it kills the following system processes:
    • \windows\home.exe
    • \windows\cprog.exe
    Once it has finished its own work, it starts up those two processes again.
    It creates the following Registry to delay upcoming call-in:
    • key: KEY_CURRENT_USER\ControlPanel\Sounds\RingTone0
    • value:Script =apw3r
    Tries to access the website w.si{removed}yan.com as follows:
    • Sends activate infomation to w.si{removed}yan.com/refer/activate.php as format of aSim=%s&aOwnerId=%d
    • Sends stop infomation to w.si{removed}yan.com/refer/stopuser.php as format of aSim=%s&aOwnerId=%d
    • Sends contact infomation to w.si{removed}yan.com/refer/contactpost.php as format of aSim=%s&aOwnerId=%d&aName=%s&aNumber=%s
    • Sends SMS infomation to w.si{removed}yan.com/refer/smspost.php as format of aSim=%s&aOwnerId=%d&aSmsType=%d&aName=%s&aSubject=%s&aSmsTime=%s
    • Sends Call infomation to w.si{removed}yan.com/refer/callpost.php as format of aSim=%s&aOwnerId=%d&aName=%s&aNumber=%s&aCallType=%d&aStartTime=%s&aEndTime=%s

    Description Last Updated Date: Sep 11, 2009
    Reference: ID - 1019260