||||
Symantec.com > Security Response > Threats and Risks > Spyware.NetSpy
PRINT THIS PAGE

Spyware.NetSpy

Printer Friendly Page

Updated: February 13, 2007 11:38:49 AM
Type: Spyware
Version: 3.0
Publisher: SkySof Software
Risk Impact: High
File Names: netspy.exe,nconfig.exe,nsutil.exe,nsys.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Spyware.NetSpy can do the following:
  • Log keystrokes
  • Run in hidden mode
  • Log or block URLs
  • Take screenshots

When Spyware.NetSpy is installed it does the following:
  1. Displays the product information.

  2. Creates the following files:
    • %System%\nsys.exe: Main logger. Detected as Spyware.NetSpy.
    • %System%\nconfig.exe: Main configuration file. Detected as Spyware.NetSpy.
    • %System%\nsutil.exe: Component that resets password and uninstalls. Detected as Spyware.NetSpy.
    • %System%\Faq.fil: Frequently Asked Questions.
    • %System%\MSVBVM60.DLL: Microsoft Visual Basic Virtual Machine Library.
    • %System%\kbhook.dll: Visual Basic keyboard hook library.
    • %System%\CaptureScreen.ocx: Screenshot capturing library.
    • %System%\Ijl11.dll: Intel JPEG Library.
    • %System%\Richtx32.ocx: Microsoft RichText Library.
    • %System%\file.txt: Log file.
    • %System%\file_keys.txt: Log file.
    • Additional JPEG and text files for logging are located in %System%.

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Adds the value:

    "nsys" = "nsys.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the Spyware runs when you start Windows.

  4. Adds the values:

    "%System%\nsys.exe" = "0x1"
    "%System%\nconfig.exe" = "0x1"
    "%System%\nsutil.exe" = "0x1"
    "%System%\Faq.fil" = "0x1"
    "%System%\kbhook.dll" = "0x1"
    "%System%\CaptureScreen.ocx" = "0x1"
    "%System%\Ijl11.dll" = "0x1"
    "%System%\Richtx32.ocx" = "0x1"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs

  5. Creates the following registry keys/values:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\nsys.exe\Path = "%System%"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\nsys.exe\(Default) = "%System%\nsys.exe"

    HKEY_CURRENT_USER\Software\S7000\Key
    HKEY_CURRENT_USER\Software\S7000\String1
    HKEY_CURRENT_USER\Software\S7000\String2

  6. Creates the registry key:

    HKEY_CURRENT_USER\Software\NetSpy

    and places the configuration settings as values in that key.

  7. Modifies the value to:

    "DisableTaskMgr" = "0x0"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    so that the Spyware can enable and disable the Task Manager.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS