Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Risk Impact:
Systems Affected:


Spyware.Ssppyy monitors and records activity on your computer, such as email sent and received, Web sites visited, instant messaging communication, passwords, files, and keystrokes. Periodically, the spyware sends an email to a predefined email address, which contains the logged information.


Your Symantec program detects files as Spyware.Ssppyy.


Spyware.Ssppyy may arrive as an email greeting card. When you receive the email, Spyware.Ssppyy will silently install itself on your computer.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 06 May 2004
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 12 May 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.Ssppyy runs, it performs the following actions:
  1. Creates the following files:
    • %System%\clrprv.oo\dpserver2.dll
    • %System%\clrprv.oo\register.exe
    • %System%\clrprv.oo\ScrCapt.exe
    • %System%\clrprv.oo\server.exe
    • %System%\clrprv.oo\serverd.exe
    • %System%\clrprv.oo\update.exe

      Note: %System% is a variable: The spyware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the value:

    "pcServer" = "%System%\clrprv.oo\server.exe"

    to the registry key:


  3. Allows an attacker to perform any of the following actions:

    • Monitor the emails transmitted through Hotmail, Yahoo, AOL, Excite, and Outlook and forward the emails to a predefined email address.
    • Download, upload, execute, and delete files.
    • Steal passwords.
    • Log keystrokes.
    • Monitor Web sites visited and instant messaging communications.
    • Capture screenshots.

  4. Sends the logged information to a predetermined email address.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Delete the value that was added to the registry.
  3. Run a full system scan and delete all the files detected as Spyware.Ssppyy.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To delete the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:


  4. In the right pane, delete the value:

    "pcServer" = "%System%\clrprv.oo\server.exe"

  5. Exit the Registry Editor.

  6. Restart the computer.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.Ssppyy, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.