||||
Symantec.com > Security Response > Threats and Risks > Spyware.WebMailSpy
PRINT THIS PAGE

Spyware.WebMailSpy

Printer Friendly Page

Updated: February 13, 2007 11:38:14 AM
Type: Spyware
Version: 2.0
Publisher: ExploreAnywhere
Risk Impact: Medium
File Names: WebMailSpy.exe
Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows XP


Spyware.WebMailSpy is distributed as the file, Webmailspy-setup-sw.exe. When this file is executed, it installs these files:
  • WebMailSpy.exe: The main spyware file, detected as Spyware.WebMailSpy.
  • Wmssys32.dll: Detected as Spyware.ISpynow.
  • License.txt
  • Readme.txt
This spyware can do the following:
  • Record the contents of Web-based email.
  • Run in stealth mode, so that you cannot see that it is running.
  • Disables the option to bypass Windows startup programs by holding down the Shift key when you start the computer (Windows NT/2000/XP).
  • Disables the option to start in Safe mode (Windows 95/98/Me).
  • Prevent you from accessing the Task Manager (Windows 95/98/Me/NT/2000/XP).

The installation Path, Log Files Path, and Hot-key combinations are configurable.
  • The default <installation path> is "%ProgramFiles%\ExploreAnywhere\WebMail Spy"
  • The default <log files path> is "%System%\systray\"
  • The default <hotkey> is "CTRL+ALT+SHIFT+ F3"

Notes:
  • %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is "C:\Program Files\"
  • %System% is a variable. The Spyware.WebMailSpy locates the System folder and copies itself to that location. By default, this is "C:\Windows\System\" (Windows 95/98/Me), "C:\Winnt\System32\" (Windows NT/2000), or "C:\Windows\System32\" (Windows XP).


When Spyware.WebMailSpy runs, it performs the following actions:
  1. Adds the value:

    "1WinCfg32" = "<install_path>\WebMailSpy.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware runs when you start Windows.

  2. Adds the value:

    "DisableTaskMgr"="0x1"

    to the registry key:

    HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\System

    so that you cannot access the Task Manager.

  3. Windows NT/2000/XP only

    Modifies the value to:

    "IgnoreShiftOveride" = "0x1"

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    which disables the Windows startup bypass option that you can access by pressing down the Shift key.

  4. Windows 95/98/Me only

    Modifies the value from:

    "BootKeys = 1"

    to:

    "BootKeys = 0"

    in the [Options] section of the C:\Msdos.sys file. This disables the use of the function key boot options (F4, F5, F6, F8, and Ctrl) during the boot process.

  5. Logs the contents of Web-based email contents in the <log_files_path> folder.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS