W32/Isetspy-C is a worm that silently installs the System Monitor tool ActMon.

W32/Isetspy-C attempts to spread by copying itself to removable drives together with an autorun.inf file set to run kinza.exe. The file autorun.inf is detected as a component of W32/Isetspy-C.

When W32/Isetspy-C is installed the following files are created:


System\boot.vbs
System\fiber.exe
System\imapd.exe
System\imapdb.dll
System\imapdb.exe
System\imapdc.dll
System\imapdc.vxd
System\imapdd.dll
System\imapde.dll
System\rbwinx1.dll

The file boot.vbs is also detected as a component of W32/Isetspy-C. Other files dropped are detected as components of the ActMon application.

The following registry entry is changed to run boot.vbs on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
System\userinit.exe,(System)\wscript.exe (System)\boot.vbs

More information can be found at this Sophos page.