Updated: February 13, 2007 11:49:43 AM
Type: Spyware
Version: 1.0
Publisher: Nielsen//Netratings
Risk Impact: Medium
File Names: %ProgramFiles%\Netratings\Premeter\Netratings.exe
%ProgramFiles%\Netratings\Premeter\Nrpr.exe
%Sys
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Spyware.Netrat is installed, it performs the following actions:
- Creates the following files:
- %ProgramFiles%\Netratings\Premeter\Netratings.exe
- %ProgramFiles%\Netratings\Premeter\Nrpr.exe
- %System%\NMTracer.dll
- %System%\Drivers\nmconpid.sys
- %ProgramFiles%\Opistat\Opistat\config.ini
- %ProgramFiles%\Opistat\Opistat\netmeter.log
- %ProgramFiles%\Opistat\Opistat\nmconpid.sys
- %ProgramFiles%\Opistat\Opistat\nmconpid.vxd
- %ProgramFiles%\Opistat\Opistat\nmgk101.dll
- %ProgramFiles%\Opistat\Opistat\nmgk140.dll
- %ProgramFiles%\Opistat\Opistat\nmnsob60.dll
- %ProgramFiles%\Opistat\Opistat\nmnsob61.dll
- %ProgramFiles%\Opistat\Opistat\nmnsob62.dll
- %ProgramFiles%\Opistat\Opistat\nmobsvr.dll
- %ProgramFiles%\Opistat\Opistat\OpiStat.exe
- %ProgramFiles%\Opistat\Opistat\OpiStatInstall.exe
- %ProgramFiles%\Opistat\Opistat\setup.ini
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80D5D403-C430-4E44-877E-7627124DC23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2CFD6C20-5CA7-41F6-8464-173B04D90F1E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6C7F7FAC-F1B3-4D42-985F-F776F91FA945}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D01CBDEC-6B8A-4A9B-A3AD-AE73D5510359}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NMIEObserver.NMIEWebObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NMIEObserver.NMIEWebObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpiStat
HKEY_LOCAL_MACHINE\SOFTWARE\OpiStat
- Creates the following registry subkeys, which may be used by legitimate programs:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NMCONPID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nmconpid
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\nmconpid
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NMCONPID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nmconpid
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
- Adds the value:
"PrInstall" = "Software\OpiStat\OpiStat"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
- Adds the values:
"Premeter" = "C:\Program Files\Netratings\Premeter\Netratings.exe"
"Premeter" = "C:\Program Files\Netratings\Premeter\Nrpr.exe"
"OpiStat" = "C:\Program Files\OpiStat\OpiStat\OpiStat.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts:
- Attempts to connect to a URL on the opistat.com domain.
- Monitors and logs all the network traffic on the computer and sends the logged data to remote Netrating company servers via HTTP.
The spyware can log the following information:
- Applications being used
- Web sites visited, including HTTP headers and POST data
- Email traffic, including sender and receiver addresses, subject, body, and attachments
- User activity and idle time
- Browser cookies
- Other outgoing and incoming network traffic
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
