Spyware.MailRedirector

Printer Friendly Page

Updated: March 20, 2006 7:30:19 PM
Type: Spyware
Risk Impact: High
Systems Affected: Windows

Behavior

Spyware.MailRedirector is spyware designed to monitor the target computer's email client and send a copy of outgoing emails to a predefined email address. The risk is not designed to work with Web-based email services.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version March 15, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date March 15, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: March 20, 2006 7:30:19 PM
Type: Spyware
Risk Impact: High
Systems Affected: Windows

Spyware.MailRedirector is spyware designed to monitor the target computer's email client and send a copy of outgoing emails to a predefined email address. The risk is not designed to work with Web-based email services.

When the security risk program is installed, it creates the following files:
%System%\drivers\vmaser.exe
%System%\drivers\vmaser.sys

It also creates the following registry entry so that the application runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"ASER"= "%System%\drivers\vmaser.exe"

The risk creates the following service, so that the application can monitor SMTP traffic (uses TCP port 25 by default):
Service Name: vmaser
Display Name: vmaser

The following registry key is associated with the vmaser service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VMASER

The risk also modifies the following registry entry so that the NetBios over Tcpip service is dependent upon the risk created service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\"DependOnService"="Tcpip vmaser"

Upon installation, the application monitors SMTP traffic from the compromised computer. It parses SMTP headers and forwards a copy of each email sent from the machine, by using its own SMTP server which the application installs locally.