||||
Symantec.com > Security Response > Threats and Risks > Spyware.MateWatcher
PRINT THIS PAGE

Spyware.MateWatcher

Printer Friendly Page

Updated: February 13, 2007 11:48:32 AM
Type: Spyware
Publisher: UserFriendlyProducts, Inc.
Risk Impact: Low
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Once Spyware.MateWatcher is installed, it performs the following actions:
    1. Creates the following folders:

      • C:\WORKSSETUP
      • %UserProfile%\Start Menu\Program\Programs\Control Panel Software

        Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

    2. Creates the following files:

      • C:\WORKSSETUP\DATA\Cpanel\cpanel.exe
      • C:\WORKSSETUP\DATA\Cpanel\Remote-Install-Help.chm
      • C:\WORKSSETUP\DATA\Cpanel\settings.ini
      • C:\WINDOWS\Control Panel Software Uninstaller.exe
      • %System%\vssver.scc
      • C:\WINDOWS\LastGood\INF\oem6.inf
      • C:\WINDOWS\LastGood\INF\oem6.PNF
      • %UserProfile%\Start Menu\Programs\Control Panel Software\Uninstall Control Panel Software.lnk
      • %UserProfile%\Start Menu\Programs\Control Panel Software\Start Control Panel Software.lnk
      • %UserProfile%\Start Menu\Programs\Control Panel Software\Control Panel Help File.lnk
      • %UserProfile%\Start Menu\Programs\Double-click to start Control Panel Software.lnk

        The risk also creates the following non-malicious components that may be used by other programs:

      • C:\WINDOWS\system32\vbrun60sp6.exe
      • C:\WINDOWS\system32\MSCOMCTL.OCX
      • C:\WINDOWS\system32\MSINET.OCX
      • C:\WINDOWS\system32\MSVBVM60.DLL
      • C:\WINDOWS\LastGood\system32\ASYCFILT.DLL
      • C:\WINDOWS\LastGood\system32\COMCAT.DLL
      • C:\WINDOWS\LastGood\system32\MSVBVM60.DLL
      • C:\WINDOWS\LastGood\system32\OLEAUT32.DLL
      • C:\WINDOWS\LastGood\system32\OLEPRO32.DLL
      • C:\WINDOWS\LastGood\system32\STDOLE2.TLB

        Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    3. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Userfriendlyproducts, Inc.
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control Panel Software

      Note: The risk also creates numerous legitimate registry subkeys associated with the non-malicious components it creates.

    4. Logs keystrokes, and monitors user activity on the compromised computer.


    Search by name
    Example: W32.Beagle.AG@mm
    Learn more about Zero-Day / Operation Aurora / Hydraq
    Symantec DeepSight Screensaver
    ©1995 - 2010 Symantec Corporation
    Site Map|
    Legal Notices|
    Privacy Policy|
    |
    Contact Us|
    Global Sites|
    License Agreements|
    RSS