Spyware.Netobserve

Printer Friendly Page

Updated: February 13, 2007 11:33:34 AM
Type: Spyware
Version: 2.0
Publisher: ExploreAnywhere Software
Risk Impact: High
File Names: broadcast.exe,no32mon.exe,EASYS.dll,syscap32.dll
Systems Affected: Windows

Behavior


Spyware.Netobserve is a computer surveillance utility that creates log files that contain information about various system activities. It can run completely in stealth mode, which means that there is no indication that Spyware.Netobserve is running on the infected computer.

Definitions dated before July 15, 2004 will detect this threat as Remacc.Netobserv.

Symptoms


The files are detected as Spyware.Netobserve.

Transmission


Spyware.NetObserve must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 28, 2017 revision 017
  • Initial Daily Certified version July 08, 2004
  • Latest Daily Certified version March 28, 2017 revision 019
  • Initial Weekly Certified release date July 12, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:33:34 AM
Type: Spyware
Version: 2.0
Publisher: ExploreAnywhere Software
Risk Impact: High
File Names: broadcast.exe,no32mon.exe,EASYS.dll,syscap32.dll
Systems Affected: Windows


According to the threat's Web site, it has the following features:

Surveillance and logging features

  • Internet Conversation Logging: Logs both sides of all chat conversations for AOL/ICQ/MSN/AIM/Yahoo Instant Messengers, and views them in real time.
  • Window Activity Logging: Captures information concerning all windows that were viewed and interacted with.
  • Application Activity Logging: Tracks every application executable that was executed and interacted with.
  • Clipboard Activity Logging: Captures and stores all text and image items that were copied to the clipboard while the user was using the PC.
  • Printed Documents Logging: Logs specific information on all documents that were sent to the printer spool.
  • Keystroke Monitoring [before | after]: Tracks all pressed keystrokes and in which windows they were pressed. Keystrokes can also be passed through a formatter for viewing/exporting.
  • Websites Activity Logging: Logs all the Web site titles and addresses that were visited on the PC. Supported browsers include Internet Explorer, Netscape, and Opera.
  • Screen Shot Capturing: Automatically captures screen shots of the desktop at set intervals.
  • Webcam Picture Capturing: Automatically captures pictures from the Web cam connected to the PC.
Remote administration features
  • File Sharing: Browses directories/files in real time, as well as transfers files, renames files, and deletes files.
  • Startup Program Moderating: Remotely configures Windows startup applications by editing existing startup application data, or by deleting applications from starting on the machine running NETObserve.
  • Image Cache Browsing: Browses the remote machine's Internet Explorer image cache. Statistics for each image is included in the cache report, such as last view, total views, and more.
  • Favorite Places: Browses, launches, edits, deletes, and manages Internet Explorer bookmarks on the remote machine.
  • Internet Connection/Port Viewing: Views all open Internet connections and opens ports on the machine running NETObserve. An integrated Whois Lookup is also included for instantly retrieving information on any remote host. Perfect for spotting Trojan horses [malicious viruses], or any possible open areas on your network that could lead to a dangerous situation.
  • Process Management: Remotely views open windows and processes on the machine running NETObserve. Terminates or closes a window with a single click.
  • System Control: Quickly shuts down/reboots/logs off the remote machine, as well as puts the machine into Lockdown Mode. Lockdown Mode will bar the PC of any usage, and the only way to regain control of it is if the administrator unlocks it.
  • Window Management: Remotely de-actives and kills windows (in realtime) that you do not wish to run.

Security Features
  • Stealth Mode: Runs NETObserve in total stealth; the user will not be aware that it is running.
  • Web Content Filtering: Filters out Web sites and protocols from being used, and automatically tracks attempts made to view the banned material.
  • Windows Startup: Configures NETObserve to start up for a single user, or to start up as a service for all users on the system.
  • Automatic Active Startup: Configures NETObserve to start in "Active" mode when it is executed.
  • Password Protection: NETObserve requires a password for starting/stopping the monitoring process, and as well as when connecting to the NETObserve Web Control Panel.
  • 128-Bit Encryption: NETObserve uses the MD5 Message Digest Algorithm [as defined in RFC 1321]. The MD5 Message Digest Algorithm is a one-way hash algorithm, which takes any length of data and produces a 128 bit "fingerprint" or "message digest." This makes it impossible for your password to be intercepted and stolen when it is sent to NETObserve for validation.
  • IP Banning: Filters IP Addresses/Host Names from connecting to the NETObserve Web Control Panel.
  • Special Features
  • Log Exporting: Exports NETObserve logs to four different formats: Microsoft Excel, HTML, CSV, and Plain Text.
  • E-Mail Based IP Delivery: Automatically configures NETObserve to send an e-mail containing the remote machines IP Address.
  • Precise User Tracking: NETObserve will log the current Windows user and the time and date an action is performed. This will allow you to precisely track down activity to the exact user, at the exact time it happened.
  • Inactivity Monitoring: Automatically suspends NETObserve from monitoring if the system is inactive for a specified amount of time.
  • Scheduling Agent: Automatically configures NETObserve to start/or stop at specified times and dates, or configure it to do it at the same time everyday.
  • Automatic Log Clearing: Automatically cleans old logs from after a certain amount of data or keystrokes have been logged.
  • Two-Way Chat: Initiates a two-way chat room between the remote user (running the NETObserve software) and the user remotely connected to the NETObserve Web Control Panel.
  • Thread Priority: Adjusts SpyBuddy to adapt to your system. Using the built-in Thread Priority utility, you can make SpyBuddy run as fast as you need it to depending on your systems specifications.

Others
  • Automatic IP Detection: NETObserve can automatically detect your External IP Address and your Internal IP Address.
  • Port Configuration: Sets/changes the default for opening a connection on your PC to the NETObserve Web Control Panel.
  • Connection Logging: NETObserve will log all incoming connections to the NETObserve Web Control Panel, as well as login/logout times for later review.

Note: The default hot-key combinations are Ctrl+Alt+Shift+F12.

When Spyware.NetObserve is run, it performs the following actions:
  1. Adds the value:

    "ProductNonBootFiles"="0x30E2000D"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\904000001E872D116BF00006799C897E\Usage


  2. Adds the values:

    "buy_url"="[URL on the domain www.exploreanywhere.com]"
    "site_url"="
    [URL on the domain www.exploreanywhere.com]"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\ExploreAnywhere Software\NO

  3. Adds the values:

    "DisplayName"="NETObserve 2.97 TRIAL"
    "UninstallString"="%Windir%\unvise32.exe %ProgramFiles%\ExploreAnywhere\NETObserve\uninstal.log"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NETObserve 2.97 TRIAL

    Notes:
    • %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.
    • %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.

  4. Adds the value:

    "%Windir%\unvise32.exe"="0x1"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls

  5. Adds the value:

    "1Sys32Cfg"="%ProgramFiles%ExploreAnywhere\NETObserve\no32mon.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs when Windows starts up.

  6. Creates the following files:
    • %ProgramFiles%\ExploreAnywhere\NETObserve\Readme.txt
    • %ProgramFiles%\ExploreAnywhere\NETObserve\license.txt
    • %ProgramFiles%\ExploreAnywhere\NETObserve\broadcast.exe
    • %Windir%\EASYS.dll
    • %ProgramFiles%\ExploreAnywhere\NETObserve\help.hlp
    • %ProgramFiles%\ExploreAnywhere\NETObserve\help.cnt
    • %Windir%\noconfig.dat
    • %ProgramFiles%\ExploreAnywhere\NETObserve\Visit the NETObserve Website.url
    • %ProgramFiles%\ExploreAnywhere\NETObserve\Purchase NETObserve Now!.url
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\NETObserve.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\NETObserve Documentation.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Visit NETObserve Website!.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Readme.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Purchase NETObserve Now!.lnk
    • %ProgramFiles%\ExploreAnywhere\NETObserve\no32mon.exe
    • %Windir%\nosys32.dll
    • %Windir%\syscap32.dll
    • %ProgramFiles%\ExploreAnywhere\NETObserve\uninstal.log
    • %Windir%\unvise32.exe
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\NETObserve 2.97 TRIAL\Remove NETObserve 2.97 TRIAL.lnk

    Note: %SystemDrive% is a variable that refers to the drive on which the Windows installation resides. By default, this is drive C.

Updated: February 13, 2007 11:33:34 AM
Type: Spyware
Version: 2.0
Publisher: ExploreAnywhere Software
Risk Impact: High
File Names: broadcast.exe,no32mon.exe,EASYS.dll,syscap32.dll
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Uninstall Spyware.Netobserve using the Add/Remove Programs utility.
  3. Run a full system scan and delete all the files detected as Spyware.Netobserve.
  4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the Adware
  1. Do one of the following:
    • On the Windows 98 taskbar:
      1. Click Start > Settings > Control Panel.
      2. In the Control Panel window, double-click Add/Remove Programs.

    • On the Windows Me taskbar:
      1. Click Start > Settings > Control Panel.
      2. In the Control Panel window, double-click Add/Remove Programs.
        If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."

    • On the Windows 2000 taskbar:
      By default, Windows 2000 is set up the same as Windows 98, so follow the instructions for Windows 98. If otherwise, click Start, point to Settings > Control Panel, and then click Add/Remove Programs.

    • On the Windows XP taskbar:
      1. Click Start > Control Panel.
      2. In the Control Panel window, double-click Add or Remove Programs.

  2. Click NETObserve 2.97 Trial.


    Note:
    You may need to use the scroll bar to view the whole list.

  3. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.Netobserve , click Delete.

    Notes:
  • If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
  • If you ran the Add/Remove programs applet as described in the previous section, all the files may have been removed, and thus none of them will be detected.


4. To delete the value from the registry

Important:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

Note:
This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\904000001E872D116BF00006799C897E\Usage

  4. In the right plane, delete the value:

    "ProductNonBootFiles"=0x30E2000D

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\ExploreAnywhere Software

  6. In the left plane, delete the subkey:

    NO

  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

  8. In the left plane, delete the subkey:

    NETObserve 2.97 TRIAL
  9. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  10. In the right plane, delete the value:

    "1Sys32Cfg"="%ProgramFiles%ExploreAnywhere\NETObserve\no32mon.exe"
  11. Exit the Registry Editor.