1. /
  2. Security Response/
  3. Spyware.NiceSpy

Spyware.NiceSpy

Updated:
February 13, 2007 11:43:50 AM
Type:
Spyware
Version:
4.0
Publisher:
NICESOFT STUDIO
Risk Impact:
High
File Names:
setup.exe nsserver.exe spydll.dll viewer.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Spyware.NiceSpy is installed, it performs the following actions:

  1. Creates the following files:

    • %UserProfile%\Desktop\NiceViewer.lnk
    • %ProgramFiles%\NiceSPY system expert\gdiplus.dll
    • %ProgramFiles%\NiceSPY system expert\messenger.dll
    • %ProgramFiles%\NiceSPY system expert\nsserver.exe
    • %ProgramFiles%\NiceSPY system expert\readme.htm
    • %ProgramFiles%\NiceSPY system expert\spyconfig.ini
    • %ProgramFiles%\NiceSPY system expert\spydll.dll
    • %ProgramFiles%\NiceSPY system expert\usermanual.htm
    • %ProgramFiles%\NiceSPY system expert\viewer.exe

      Notes:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03418CC8-4835-495B-B872-712373FCB9E8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D821067-FCF9-4704-9287-0D8F76FE6513}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF4F2EA-BB82-4B39-B6B1-76380A2BD511}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EA6B21C-D079-4496-811B-F65F789584B6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10E321CC-683E-4060-B938-4F53234D9593}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53DECA78-C334-4235-9165-1FE7D8912A76}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61A97AB1-549D-4BE0-B996-95DAC5CF266F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64C7DBCC-AA2A-46DE-BEC2-D38BDC7DE2B2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C36FAD9-05D1-4FEE-9801-C0D8DE072231}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7CCEA6B7-9FA5-4943-97D2-10D023CF0861}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81CA5571-C109-47AE-BE1C-2DF9CB8999FF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82782BC8-FA2C-4BE4-BB97-EDBFBE5D7A96}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8738B430-6CF3-4B27-86D3-6D3C5E70702A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8EA58D13-80D3-4D37-A348-6F54F221DBE6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90D0A753-AD45-40FD-8C6E-555600EE5EB4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93F6D1D2-E82D-446F-975A-8B2CEEE9AE9D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E5E31A2-B318-452A-9383-B21393234F1D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A68D4F55-3A3F-4D36-97A6-E73DEF853DAC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC3F1977-CD10-41B2-9977-7693A4C13377}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AED3A6B3-2171-11D2-B77C-0008C73ACA8F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF027B74-640D-4DC9-A512-7B40AB718541}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1CC9084-0177-4136-9B1B-C06C061F1E1D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4B8EFD3-E3F5-4CFB-A658-3EB23D3394F7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4A124C5-02E1-4556-83E0-CBA6BCF69D98}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5FF9F62-0E7C-4372-8AD5-DA7D2418070C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9EE4194-A178-4F1A-8374-3488B3839DD1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EBB60944-8D04-4293-93D7-8F9C92C7B0F2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08B9999C-DAD2-4353-B25B-8CCAFFCA4D16}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14E61A41-8846-11D2-B7E4-0008C73ACA8F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E6D8684-755D-4847-BF40-68EC5E4BC1E9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23E86816-772B-4B28-A924-A135CFF6469A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41DBA1FA-44F6-4BD5-82DF-1A7FDEA0475D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{56930358-AD72-408F-83C4-A2B0DC8037B2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{607A06FE-2FDA-4ADC-854D-D016D98D83DB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{65C53BE7-ED21-4C25-B189-DA0E8FAD5231}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{952F0B99-50B6-44B3-AE0D-700D5B98B416}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AED3A6B1-2171-11D2-B77C-0008C73ACA8F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E05AEA1E-BCB1-473A-8B2A-4829D9E1AD23}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A5F07B4C-3530-4982-80FE-261F8279DDC9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Attachment
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Attachments
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Headers
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.MailMerge
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Message
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Messages
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResult
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResultCollection
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.PGPDecodeResults
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.POP3
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Recipient
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.Recipients
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.SMTPMail
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jmail.SpeedMailer
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.AboutBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.AboutBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.AppMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.AppMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.AppMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.AppMonitorBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.ExplorerBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.ExplorerBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.FileMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.FileMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.FileMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.FileMonitorBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.KeyBoardMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.KeyBoardMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.KeyBoardMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.KeyBoardMonitorBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.LogonMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.LogonMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.LogonMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.LogonMonitorBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.RegisterBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.RegisterBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.ScreenMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.ScreenMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.ScreenMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.ScreenMonitorBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.SettingBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.SettingBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.TextInputMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.TextInputMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.TextInputMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.TextInputMonitorBox.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.WebMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.WebMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.WebMonitorBox
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NiceSpyDll.WebMonitorBox.1


  3. Adds the value:

    "SystemService" = "C:\Program Files\NiceSPY system expert\nsserver.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Monitors user activity, logs keystrokes, and takes screenshots.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver