Updated: December 7, 2007 5:13:02 PM
Type: Spyware
Risk Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following files:
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Mom Knows Best.lnk
- %UserProfile%\Desktop\Mom Knows Best.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\Mom Knows Best\Mom Knows Best.lnk
- %System%\IBHO.dll
- %System%\iClnt.exe
- %System%\iKB.ocx
- %System%\ionbho.tlb
- %System%\iontlb.tlb
- %System%\ISHo.dll
- %System%\iSrv.exe
- %System%\mData\mkb.chm
- %System%\mData\Unist\unins000.dat
- %System%\mData\Unist\unins000.exe
- %System%\mkb.dat
- %System%\mkb.exe
- %Windìr%\is-HS57P.exe
- %Windìr%\is-HS57P.lst
It also creates the following clean file:
%System%\COMCT232.OCX
Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mkb.exe" = "C:\WINDOWS\system32\mkb.exe"
It also creates the following registry subkeys:
- HKEY_CLASSES_ROOT\CLSID\{2D739B65-5A97-4F24-8C54-AFDFFF3270EE}
- HKEY_CLASSES_ROOT\CLSID\{86455BA9-417D-49AC-8797-7CA6A987BE39}
- HKEY_CLASSES_ROOT\CLSID\{EA6CB8D8-5848-4032-B56E-F7B13490790A}
- HKEY_CLASSES_ROOT\Interface\{007CB060-1B7C-11CF-9D53-00AA003C9CB6}
- HKEY_CLASSES_ROOT\Interface\{056482E3-4FFF-4BFF-B7A8-FA515188FF1C}
- HKEY_CLASSES_ROOT\Interface\{1163188B-3952-4205-9056-092E48176702}
- HKEY_CLASSES_ROOT\Interface\{1B8385E0-1B7D-11CF-9D53-00AA003C9CB6}
- HKEY_CLASSES_ROOT\Interface\{1CD1B0C0-1B7D-11CF-9D53-00AA003C9CB6}
- HKEY_CLASSES_ROOT\Interface\{A159B704-0B02-49D7-858E-59DC985349A7}
- HKEY_CLASSES_ROOT\Interface\{A4ACD186-2179-45EC-80E7-0D16455B7D68}
- HKEY_CLASSES_ROOT\Interface\{C03FFD65-0159-4A4B-B68A-541C8BC2D14D}
- HKEY_CLASSES_ROOT\Interface\{FF3626A0-1B7B-11CF-9D53-00AA003C9CB6}
- HKEY_CLASSES_ROOT\TypeLib\{3014F9CD-55F5-49A9-B9B7-B2C834AD7FA6}
- HKEY_CLASSES_ROOT\TypeLib\{4EE24C19-094E-44A7-AF5A-AB617AC6C21B}
- HKEY_CLASSES_ROOT\TypeLib\{B3CFA36C-0DC6-40D4-81BB-DB5CAD2E4978}
- HKEY_CLASSES_ROOT\TypeLib\{CE3393D1-284B-43D6-AE8B-CF66B54FE288}
- HKEY_CLASSES_ROOT\TypeLib\{CF9D9B76-EC4B-470D-99DC-AEC6F36A9261}
- HKEY_CLASSES_ROOT\iBHO.BHO
- HKEY_CLASSES_ROOT\iKB.iKBc
- HKEY_CLASSES_ROOT\iSho.SHo
- HKEY_LOCAL_MACHINE\SOFTWARE\Ion-I
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D739B65-5A97-4F24-8C54-AFDFFF3270EE}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mom Knows Best_is1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{EA6CB8D8-5848-4032-B56E-F7B13490790A}
The program then records information such as keystrokes and Web sites visited. The gathered information is stored locally on the computer and can be accessed by a remote user.
Writeup By: Kevin Savage
Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
