MonitoringTool:Win32/DrpuPcDataManager is a monitoring program thatĀ monitors user activities, such asĀ key strokes typed, clipboard, screenshots, applications, system, time and sound activities. This information can then be logged, emailed or sent via FTP (File Transfer Protocol) to a remote location.
InstallationĀ
MonitoringTool:Win32/DrpuPcDataManager installs the following directories on the user's computer:
Ā
%StartMenu%\Programs\DRPU PC Data Manager\
%Documents%\PC DM Files
%ProgramFiles%\DRPU PC Data Manager
Ā
MonitoringTool:Win32/DrpuPcDataManager then installs the following filesĀ on the user's computer:
Ā
%Desktop%\DRPU PC Data Manager.lnk
%StartMenu%\Programs\DRPU PC Data Manager\DRPU PC Data Manager.lnk
%StartMenu%\Programs\DRPU PC Data Manager\Help.chm.lnk
%StartMenu%\Programs\DRPU PC Data Manager\Uninstall.lnk
%ProgramFiles%\DRPU PC Data Manager\Help.chm
%ProgramFiles%\DRPU PC Data Manager\Microsoft.Office.Interop.Excel.dll
%ProgramFiles%\DRPU PC Data Manager\Setting.exe
%ProgramFiles%\DRPU PC Data Manager\Setting.exe.manifest
%ProgramFiles%\DRPU PC Data Manager\Shk.exe.manifest
%ProgramFiles%\DRPU PC Data Manager\Uninstall.exe
%ProgramFiles%\DRPU PC Data Manager\uninstall.ico
%ProgramFiles%\DRPU PC Data Manager\Uninstall.txt
%windir%\system\DRPUPCDM.lnk
Ā
MonitoringTool:Win32/DrpuPcDataManager then makes the following changes to the registry:
Ā
Adds the following subkeys:
HKLM\SOFTWARE\DRPU Software Pvt. Ltd.
HKLM\SOFTWARE\DRPU Software Pvt. Ltd.\DRPU PC Data Manager
HKLM\SOFTWARE\DRPUPCDM
HKLM\SOFTWARE\DRPUPCDM\Application
HKLM\SOFTWARE\DRPUPCDM\Email
HKLM\SOFTWARE\DRPUPCDM\Screenshots
HKLM\SOFTWARE\DRPUPCDM\Setting
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DRPU PC Data Manager
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\apcdm.exe
Ā
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\apcdm.exe
Sets value: <default>
With data: "C:\\Program Files\\DRPU PC Data Manager\\apcdm.exe"
Sets value: "Path"
With data: "C:\\Program Files\\DRPU PC Data Manager"
Ā
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "DRPU Pc Data manager"
With data: "\"C:\\Program Files\\DRPU PC Data Manager\\apcdm.exe\" \"hd\""
Ā
Note: The following is a list of system variables that are determined by the malware by querying the Operating System:
%Desktop% refers to C:\Users\Public\Desktop
%Start Menu% refers to C:\ProgramData\Microsoft\Windows\Start Menu
%Documents% refers to C:\Users\Public\Documents
Execution
Logs user activities
MonitoringTool:Win32/DrpuPcDataManagerĀ is also known asĀ "DRPU PC Data Manager"; its purpose is to monitor and log a user's key strokes, clipboard, screenshots, applications, system, time and sound activities. This information can then be logged, emailed, or sent via FTP to a remote location.
Ā
Ā
MonitoringTool:Win32/DrpuPcDataManager also has the ability to hide itself from view so as it may go undetected by the affected user.
Ā
Ā
The following directories store the recorded information at:
Ā
%Documents%\PC DM Files\Images\
%Documents%\PC DM Files\Sound\
%Documents%\PC DM Files\<user name>\
Ā
whereĀ <user name> refers to the user's login name, for example: %Documents%\PC DM Files\Administrator
Ā
Ā
Analysis by Michael Johnson
