||||
Symantec.com > Security Response > Threats and Risks > Spyware.Netobserve
PRINT THIS PAGE

Spyware.Netobserve

Printer Friendly Page

Updated: February 13, 2007 11:33:34 AM
Type: Spyware
Version: 2.0
Publisher: ExploreAnywhere Software
Risk Impact: High
File Names: broadcast.exe,no32mon.exe,EASYS.dll,syscap32.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


According to the threat's Web site, it has the following features:

Surveillance and logging features
  • Internet Conversation Logging: Logs both sides of all chat conversations for AOL/ICQ/MSN/AIM/Yahoo Instant Messengers, and views them in real time.
  • Window Activity Logging: Captures information concerning all windows that were viewed and interacted with.
  • Application Activity Logging: Tracks every application executable that was executed and interacted with.
  • Clipboard Activity Logging: Captures and stores all text and image items that were copied to the clipboard while the user was using the PC.
  • Printed Documents Logging: Logs specific information on all documents that were sent to the printer spool.
  • Keystroke Monitoring [before | after]: Tracks all pressed keystrokes and in which windows they were pressed. Keystrokes can also be passed through a formatter for viewing/exporting.
  • Websites Activity Logging: Logs all the Web site titles and addresses that were visited on the PC. Supported browsers include Internet Explorer, Netscape, and Opera.
  • Screen Shot Capturing: Automatically captures screen shots of the desktop at set intervals.
  • Webcam Picture Capturing: Automatically captures pictures from the Web cam connected to the PC.
Remote administration features
  • File Sharing: Browses directories/files in real time, as well as transfers files, renames files, and deletes files.
  • Startup Program Moderating: Remotely configures Windows startup applications by editing existing startup application data, or by deleting applications from starting on the machine running NETObserve.
  • Image Cache Browsing: Browses the remote machine's Internet Explorer image cache. Statistics for each image is included in the cache report, such as last view, total views, and more.
  • Favorite Places: Browses, launches, edits, deletes, and manages Internet Explorer bookmarks on the remote machine.
  • Internet Connection/Port Viewing: Views all open Internet connections and opens ports on the machine running NETObserve. An integrated Whois Lookup is also included for instantly retrieving information on any remote host. Perfect for spotting Trojan horses [malicious viruses], or any possible open areas on your network that could lead to a dangerous situation.
  • Process Management: Remotely views open windows and processes on the machine running NETObserve. Terminates or closes a window with a single click.
  • System Control: Quickly shuts down/reboots/logs off the remote machine, as well as puts the machine into Lockdown Mode. Lockdown Mode will bar the PC of any usage, and the only way to regain control of it is if the administrator unlocks it.
  • Window Management: Remotely de-actives and kills windows (in realtime) that you do not wish to run.

Security Features
  • Stealth Mode: Runs NETObserve in total stealth; the user will not be aware that it is running.
  • Web Content Filtering: Filters out Web sites and protocols from being used, and automatically tracks attempts made to view the banned material.
  • Windows Startup: Configures NETObserve to start up for a single user, or to start up as a service for all users on the system.
  • Automatic Active Startup: Configures NETObserve to start in "Active" mode when it is executed.
  • Password Protection: NETObserve requires a password for starting/stopping the monitoring process, and as well as when connecting to the NETObserve Web Control Panel.
  • 128-Bit Encryption: NETObserve uses the MD5 Message Digest Algorithm [as defined in RFC 1321]. The MD5 Message Digest Algorithm is a one-way hash algorithm, which takes any length of data and produces a 128 bit "fingerprint" or "message digest." This makes it impossible for your password to be intercepted and stolen when it is sent to NETObserve for validation.
  • IP Banning: Filters IP Addresses/Host Names from connecting to the NETObserve Web Control Panel.
  • Special Features
  • Log Exporting: Exports NETObserve logs to four different formats: Microsoft Excel, HTML, CSV, and Plain Text.
  • E-Mail Based IP Delivery: Automatically configures NETObserve to send an e-mail containing the remote machines IP Address.
  • Precise User Tracking: NETObserve will log the current Windows user and the time and date an action is performed. This will allow you to precisely track down activity to the exact user, at the exact time it happened.
  • Inactivity Monitoring: Automatically suspends NETObserve from monitoring if the system is inactive for a specified amount of time.
  • Scheduling Agent: Automatically configures NETObserve to start/or stop at specified times and dates, or configure it to do it at the same time everyday.
  • Automatic Log Clearing: Automatically cleans old logs from after a certain amount of data or keystrokes have been logged.
  • Two-Way Chat: Initiates a two-way chat room between the remote user (running the NETObserve software) and the user remotely connected to the NETObserve Web Control Panel.
  • Thread Priority: Adjusts SpyBuddy to adapt to your system. Using the built-in Thread Priority utility, you can make SpyBuddy run as fast as you need it to depending on your systems specifications.

Others
  • Automatic IP Detection: NETObserve can automatically detect your External IP Address and your Internal IP Address.
  • Port Configuration: Sets/changes the default for opening a connection on your PC to the NETObserve Web Control Panel.
  • Connection Logging: NETObserve will log all incoming connections to the NETObserve Web Control Panel, as well as login/logout times for later review.

Note: The default hot-key combinations are Ctrl+Alt+Shift+F12.

When Spyware.NetObserve is run, it performs the following actions:
  1. Adds the value:

    "ProductNonBootFiles"="0x30E2000D"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\904000001E872D116BF00006799C897E\Usage

  2. Adds the values:

    "buy_url"="[URL on the domain www.exploreanywhere.com]"
    "site_url"="    [URL on the domain www.exploreanywhere.com]"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\ExploreAnywhere Software\NO

  3. Adds the values:

    "DisplayName"="NETObserve 2.97 TRIAL"
    "UninstallString"="%Windir%\unvise32.exe %ProgramFiles%\ExploreAnywhere\NETObserve\uninstal.log"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NETObserve 2.97 TRIAL

    Notes:
    • %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.
    • %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.

  4. Adds the value:

    "%Windir%\unvise32.exe"="0x1"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls

  5. Adds the value:

    "1Sys32Cfg"="%ProgramFiles%ExploreAnywhere\NETObserve\no32mon.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs when Windows starts up.

  6. Creates the following files:
    • %ProgramFiles%\ExploreAnywhere\NETObserve\Readme.txt
    • %ProgramFiles%\ExploreAnywhere\NETObserve\license.txt
    • %ProgramFiles%\ExploreAnywhere\NETObserve\broadcast.exe
    • %Windir%\EASYS.dll
    • %ProgramFiles%\ExploreAnywhere\NETObserve\help.hlp
    • %ProgramFiles%\ExploreAnywhere\NETObserve\help.cnt
    • %Windir%\noconfig.dat
    • %ProgramFiles%\ExploreAnywhere\NETObserve\Visit the NETObserve Website.url
    • %ProgramFiles%\ExploreAnywhere\NETObserve\Purchase NETObserve Now!.url
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\NETObserve.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\NETObserve Documentation.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Visit NETObserve Website!.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Readme.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Purchase NETObserve Now!.lnk
    • %ProgramFiles%\ExploreAnywhere\NETObserve\no32mon.exe
    • %Windir%\nosys32.dll
    • %Windir%\syscap32.dll
    • %ProgramFiles%\ExploreAnywhere\NETObserve\uninstal.log
    • %Windir%\unvise32.exe
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Remove NETObserve 2.97 TRIAL.lnk

    Note: %SystemDrive% is a variable that refers to the drive on which the Windows installation resides. By default, this is drive C.

Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS