Monitoring-Tool:W32/PCDM.A

Monitoring-Tool:W32/PCDM.A is a riskware application designed to perform monitoring activities in a computer. The program must be manually installed on the computer system.

According to the application's product page, the program has the following features/functionalities:

System Monitoring

• Records clipboard entries and other copy-paste operations.
• Captures Windows screenshots at regular time interval (with slideshow viewing).
• Records system logins.
• Records any changes made in system date and time.
• Records keystroke entries (passwords, URLs, texts, documents) etc.

Internet Monitoring

• Records online voice chat conversations.
• Records browsed web pages.
• Records composed and send emails.
• Records internet cookies, temp files and more.

Log Report and Emailing

• Automatically prepares log report of entire PC activities.
• Displays the log report in Text or HTML file formats.
• Sends log report to defined e-mail address or uploads it to a remote server using FTP server settings.

Privacy

• Password-protection feature restricts external users from changing software settings.
• Administrator can easily hide the software from Add/remove list, Program folders, Start menu, and so on
• Hot keys and Run command settings facilitates access to software running in stealth mode.

Here is a screenshot of its user interface:

Installation

The default installation is to the following location:

• %Program Files%\DRPU PC\Data Manager

At this location are saved the program's main binary files and components:

• apcdm.exe - main binary file detected as Monitoring-Tool:W32/PCDM.A
• Help.chm
• Microsoft.Office.Interop.Excel.dll
• Pcdll.dll
• Settings.exe
• Settings.exe.manifest
• Shk.exe
• Shk.exe.manifest
• Uninstall.exe
• Uninstall.ico
• Uninstall.txt

Collected Log files for each users are stored in the following folder:

• %Documents and Settings%\All Users\Documents\PC DM Files

Note:%Program Files% is the environment variable for the Program Files Directory, which is typically the C:\Program Files folder.

%Documents and Settings% is the environment variable for the Documents and Settings Directory, which is typically the C:\Documents and Settings folder.

Stealth

Though the program claims to be running in stealth mode, it does not implement any high level techniques to hide its process and folders, the former being easily identified using freely available tools, as seen in this screenshot of three different tools used to view the processes (click for larger view):

https://www.f-secure.com/v-pics/monitoring_tool_w32_pcdm_processes.jpg

Folders can be made visible by making certain changes to the Windows Folder Options settings, as can be seen in the image below (click for larger view):

https://www.f-secure.com/v-pics/monitoring_tool_w32_pcdm_folders.jpg

• Show hidden files and folders is selected.
• Hide Protected operating System files (recommended) is unchecked.

Registry Changes

The following are the registry entries created by the program:

• HKEY_LOCAL_MACHINE\Software\DRPUPCDM
• HKEY_CURRENT_USER\Software\DRPUPCDM
• HHEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run DRPU Pc Data manager = \apcdm.exe "hd"

Where "=" is the installation directory of the program and "hd" is its parameter indicating that the program be run as hidden.