||||
Symantec.com > Security Response > Threats and Risks > Spyware.BEverywhere
PRINT THIS PAGE

Spyware.BEverywhere

Printer Friendly Page

Updated: February 13, 2007 11:37:14 AM
Type: Spyware
Risk Impact: Medium
File Names: BEWLDR32.EXE BECONFIG.EXE BEWREP.EXE RMBEW.EXE WSA32.DLL WSA32.EXE BE2INST.EXE
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


Spyware.BEverywhere does the following:
  1. Creates some of the following files:

    • %UserProfile%\Start Menu\Programs\Boss Everyware 2\Boss Everyware Help.lnk
    • %UserProfile%\Start Menu\Programs\Boss Everyware 2\Hide Boss Everyware.lnk
    • %UserProfile%\Start Menu\Programs\Boss Everyware 2\Logger Configurator.lnk
    • %UserProfile%\Start Menu\Programs\Boss Everyware 2\Report Manager.lnk
    • %UserProfile%\Application Data\BEHIVE.DAT
    • %System%\BEWLDR32.EXE
    • %System%\Wsa32\BE2.CHM
    • %System%\Wsa32\BECONFIG.EXE
    • %System%\Wsa32\BEWREP.EXE
    • %System%\Wsa32\LICENSE.TXT
    • %System%\Wsa32\PCSETUP.32
    • %System%\Wsa32\README.TXT
    • %System%\Wsa32\RMBEW.EXE
    • %System%\Wsa32\unins000.dat
    • %System%\Wsa32\unins000.exe
    • %System%\WSA32.DLL
    • %System%\WSA32.EXE
    • C:\BELogs\belog.cfg
    • C:\BELogs\[RANDOM FILENAME].dsv

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ber
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dbf
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dsv
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.elt
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BER
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBF
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DSV
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ELT
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\BEWREP.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\BECONFIG.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\BEWREP.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WSA32.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Boss Everyware 2.8_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\Jmerik
    HKEY_USERS\Software\Jmerik
  3. Adds the value:

    "SysWsa32" =     "%System%\WSA32.EXE"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs everytime Windows starts.

  4. Logs the following information:

    • Keystrokes
    • Web sites visited
    • Programs used
    • Idle time


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS