Spyware.NetVizor

Printer Friendly Page

Updated: February 13, 2007 11:38:46 AM

Type: Spyware

Publisher: Spytech, Inc

Risk Impact: High

File Names: sysdiag.exe,svchost.exe,SystemSA32N.dll,YahooDLL.dll,SystemSA32.dll,sagent.exe

Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows XP

When the risk is executed, it performs the following actions:

May add the following values:

"Srv32Win" = "C:\Program Files\nvclient\sysdiag.exe" "1SPC" = "C:\Program Files\SentryPC\services.exe" "Srv32Win" = "C:\Program Files\nvclient\sysdiag.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that it starts when Windows starts.
May add the value:

"C:\WINDOWS\unvise32.exe" = "1"

to the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
May add the value:

"IgnoreShiftOveride" = "1"

to the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
May create the following registry subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeyCaptor
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetVizor
- KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SentryPC
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spytech SpyAgent
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu \Programs\Spytech SpyAgent
- KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\SentryPC
- KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\NetVizor
- KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\KeyCaptor
May create the following folders that contain a number of log files:
- %Windir%\sacache
- %Windir%\syscache
- %SystemDrive%\Documents and Settings\All Users\Application Data\AgentSS
- %SystemDrive%\Documents and Settings\All Users\Application Data\sacache
  
  Note:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
May then create the following files:
- %System%\ntinvisible.dll
- %Windir%\libimg.dll (legitimate component)
- %Windir%\sbrowse.exe
- %Windir%\snmpapi.dll (legitimate component)
- %Windir%\systemsa32.dll
- %Windir%\yahoodll.dll
- %Windir%\saopts.dat
- %Windir%\nvopts.dat
- %System%\acopts.dat
- %SystemDrive%:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]-acu.dat
- %SystemDrive%:\Documents and Settings\All Users\Application Data\[USER NAME]-acopts.dat
- %SystemDrive%:\Documents and Settings\All Users\Application Data\sacache\nowin.log
- %Windir%\kcopts.dat
- %Windir%\nvvopts.dat
- %Windir%\nvsys.dat
- %Windir%\registry.dat
- %SystemDrive%:\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].idf
- %Windir%\syscache\wincfg[RANDOM CHARS].ssf
- %Windir%\sadefs.dat
- %Windir%\saopts.dat
- %SystemDrive%:\Documents and Settings\All Users\Application Data\emopts.dat
- %Windir%\spcchat.dll
- %Windir%\ACSystem.dll
- %Windir%\SystemSa32N.dll
- %ProgramFiles%\nvclient\svchost.exe
- %ProgramFiles%\nvclient\sysdiag.exe
- %Windir%\SystemSA32.dll
- %System%\NTInvisible.dll
- %System%\spcinvis.dll
- %Windir%\NTInvisible.dll
- %Windir%\sbrowse.exe
- %Windir%\spcviewer.exe
- %Windir%\systemsa32.dll
- %Windir%\yahoodll.dll
- %Windir%\clfct.dll
- %Windir%\sview.exe
- %System%\sinvfct.dll
- %System%\msvcr70.dll
- %System%\sinvfct.dll
- %Windir%\Base64.dll
- %Windir%\sysk32.dll
- %Windir%\unvise32.exe (legitimate component)
  
  Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
May also create one of the following folders:
- %ProgramFiles%\NetVizor
- %ProgramFiles%\SentryPC
- %ProgramFiles%\Spytech Software\Spytech SpyAgent
- %ProgramFiles%\KeyCaptor
May populate the above folders with the following files:
- deploy.exe
- help.htm
- license.txt
- nostealth.exe
- readme!.txt
- svchost.exe
- sysdiag.exe
- uninstal.log
- uninstaller.dll
- services.exe
- Other files, depending on the version of the spyware
May create one of the following folders:
- %SystemDrive%\Documents and settings\All Users\Start Menu\Programs\KeyCaptor
- %SystemDrive%\Documents and settings\All Users\Start Menu\Programs\NetVizor
- %SystemDrive%\Documents and settings\All Users\Start Menu\Programs\SentryPC
- %SystemDrive%\Documents and settings\All Users\Start Menu\Programs\Spytech SpyAgent
May populate the above folder with the following files:
- Help Documentation.lnk
- License EULA.lnk
- Read me.lnk
- Other files, depending on the version of the spyware
May also create the following folder, which contains legitimate Win Packet Capture library components:

%ProgramFiles%\WinConfig winpcap
Can be run in full silent mode with no splash screen in the full, non-trial version.
Can create an Administrative install or a more basic Stealth install (no help files or shortcuts)
Provides an option to create an uninstaller.
Records some of the following data:
- Keystrokes
- Web sites visited
- Files opened
- Email sent/received
- Instant messages sent/received
- Internet connections

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}