1. /
  2. Security Response/
  3. Spyware.IamBigBrother

Spyware.IamBigBrother

Updated:
February 7, 2007 8:47:43 PM
Type:
Spyware
Name:
IamBigBrother
Version:
9.0
Publisher:
InternetSafetySoftware.com
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Spyware.IamBigBrother must be manually installed. The file name of the retail version may vary. The demo version of Spyware.IamBigBrother is distributed as the following file:
brother90demo.exe

Once executed, it creates the following files:
  • dlhost.exe
  • cpanel.exe
  • nl.exe
  • asycfilt.dll
  • comcat.dll
  • comdlg32.ocx
  • ctl3d32.dll
  • dartftp.dll
  • dartsock.dll
  • encodex.dll
  • ijl15.dll
  • ijl15.lib
  • ijl15l.lib
  • marbryObj.dll
  • mailcontrol.ocx
  • mimex.dll
  • winl.dll
  • IRIMG1.JPG
  • IRIMG2.JPG
  • bigbrotherbox.gif
  • box_kidcontrol.gif
  • dmm.dll
  • header_main_iambb.gif
  • help.htm
  • help_top.gif
  • iambb_screen.gif
  • ma.exe
  • spoolsv.exe
  • tutorial.gif
  • tutorial_1.gif
  • tutorial_2.gif
  • tutorial_3.gif
  • uninstall.dat
  • uninstall.xml
  • %System%\DOM.dll
  • %System%\DartFtp.dll
  • %System%\DartSock.dll
  • %System%\EncodeX.dll
  • %System%\MSCOMCT2.OCX
  • %System%\MSFLXGRD.OCX
  • %System%\MSINET.OCX
  • %System%\MabryObj.dll
  • %System%\MailControl.ocx
  • %System%\MimeX.dll
  • %System%\RICHTX32.OCX
  • %System%\SmtpX.DLL
  • %System%\comdlg32.ocx
  • %System%\csXImage.ocx
  • %Windir%\cp.exe

The security risk then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows System Tray" = "[PATH TO SECURITY RISK]\dlhost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Service Manager" = "[PATH TO SECURITY RISK]\spoolsv.exe"

It also creates the following registry subkeys:
HKEY_Classes_Root\CLSID\{39fda070-61ba-11d2-ad84-00105a17b608}\InprocServer32
HKEY_Classes_Root\CLSID\{39fda070-61ba-11d2-ad84-00105a17b608}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{a1eedaa7-c4d8-11d2-ad9c-00105a17b608}\InprocServer32
HKEY_Classes_Root\CLSID\{a1eedaa7-c4d8-11d2-ad9c-00105a17b608}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{ca4fc24b-c65c-11d1-aa6f-000000000000}InprocServer32\
HKEY_Classes_Root\CLSID\{ca4fc24b-c65c-11d1-aa6f-000000000000}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{ddd136ce-517b-11d2-ad03-00105a17b608}InprocServer32
HKEY_Classes_Root\CLSID\{ddd136ce-517b-11d2-ad03-00105a17b608}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{4f99a075-5227-11d2-ad06-00105a17b608}InprocServer32
HKEY_Classes_Root\CLSID\{4f99a075-5227-11d2-ad06-00105a17b608}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{371d0743-7a57-11d2-ad5a-00105a17b608}InprocServer32
HKEY_Classes_Root\CLSID\{371d0743-7a57-11d2-ad5a-00105a17b608}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{e9d55102-9683-11d2-ba68-0040053687fe}InprocServer32
HKEY_Classes_Root\CLSID\{e9d55102-9683-11d2-ba68-0040053687fe}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{0c1f87ae-ae62-11d3-911c-00105a17b608}InprocServer32
HKEY_Classes_Root\CLSID\{0c1f87ae-ae62-11d3-911c-00105a17b608}\ToolboxBitmap32
HKEY_Classes_Root\CLSID\{b22fe43c-d1e8-432a-a862-9f83d5f04732}InprocServer32
HKEY_Classes_Root\CLSID\{b22fe43c-d1e8-432a-a862-9f83d5f04732}\ToolboxBitmap32

The security risk allows the user installing it to configure the installation Path and Log Files Path.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver