1. /
  2. Security Response/
  3. Spyware.MomKnowsBest

Spyware.MomKnowsBest

Updated:
December 7, 2007 5:13:02 PM
Type:
Spyware
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Mom Knows Best.lnk
  • %UserProfile%\Desktop\Mom Knows Best.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Mom Knows Best\Mom Knows Best.lnk
  • %System%\IBHO.dll
  • %System%\iClnt.exe
  • %System%\iKB.ocx
  • %System%\ionbho.tlb
  • %System%\iontlb.tlb
  • %System%\ISHo.dll
  • %System%\iSrv.exe
  • %System%\mData\mkb.chm
  • %System%\mData\Unist\unins000.dat
  • %System%\mData\Unist\unins000.exe
  • %System%\mkb.dat
  • %System%\mkb.exe
  • %Windìr%\is-HS57P.exe
  • %Windìr%\is-HS57P.lst


It also creates the following clean file:
%System%\COMCT232.OCX

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mkb.exe" = "C:\WINDOWS\system32\mkb.exe"

It also creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\CLSID\{2D739B65-5A97-4F24-8C54-AFDFFF3270EE}
  • HKEY_CLASSES_ROOT\CLSID\{86455BA9-417D-49AC-8797-7CA6A987BE39}
  • HKEY_CLASSES_ROOT\CLSID\{EA6CB8D8-5848-4032-B56E-F7B13490790A}
  • HKEY_CLASSES_ROOT\Interface\{007CB060-1B7C-11CF-9D53-00AA003C9CB6}
  • HKEY_CLASSES_ROOT\Interface\{056482E3-4FFF-4BFF-B7A8-FA515188FF1C}
  • HKEY_CLASSES_ROOT\Interface\{1163188B-3952-4205-9056-092E48176702}
  • HKEY_CLASSES_ROOT\Interface\{1B8385E0-1B7D-11CF-9D53-00AA003C9CB6}
  • HKEY_CLASSES_ROOT\Interface\{1CD1B0C0-1B7D-11CF-9D53-00AA003C9CB6}
  • HKEY_CLASSES_ROOT\Interface\{A159B704-0B02-49D7-858E-59DC985349A7}
  • HKEY_CLASSES_ROOT\Interface\{A4ACD186-2179-45EC-80E7-0D16455B7D68}
  • HKEY_CLASSES_ROOT\Interface\{C03FFD65-0159-4A4B-B68A-541C8BC2D14D}
  • HKEY_CLASSES_ROOT\Interface\{FF3626A0-1B7B-11CF-9D53-00AA003C9CB6}
  • HKEY_CLASSES_ROOT\TypeLib\{3014F9CD-55F5-49A9-B9B7-B2C834AD7FA6}
  • HKEY_CLASSES_ROOT\TypeLib\{4EE24C19-094E-44A7-AF5A-AB617AC6C21B}
  • HKEY_CLASSES_ROOT\TypeLib\{B3CFA36C-0DC6-40D4-81BB-DB5CAD2E4978}
  • HKEY_CLASSES_ROOT\TypeLib\{CE3393D1-284B-43D6-AE8B-CF66B54FE288}
  • HKEY_CLASSES_ROOT\TypeLib\{CF9D9B76-EC4B-470D-99DC-AEC6F36A9261}
  • HKEY_CLASSES_ROOT\iBHO.BHO
  • HKEY_CLASSES_ROOT\iKB.iKBc
  • HKEY_CLASSES_ROOT\iSho.SHo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Ion-I
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D739B65-5A97-4F24-8C54-AFDFFF3270EE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mom Knows Best_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{EA6CB8D8-5848-4032-B56E-F7B13490790A}


The program then records information such as keystrokes and Web sites visited. The gathered information is stored locally on the computer and can be accessed by a remote user.
Writeup By: Kevin Savage
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver