Spyware.NetMama

Printer Friendly Page

Updated: July 03, 2006 9:20:26 AM
Type: Spyware
Risk Impact: High
Systems Affected: Windows

Behavior

Spyware.NetMama is spyware which logs Web sites visited and Internet chat conversations.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version May 01, 2017 revision 024
  • Initial Daily Certified version June 23, 2006
  • Latest Daily Certified version May 02, 2017 revision 001
  • Initial Weekly Certified release date June 28, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: July 03, 2006 9:20:26 AM
Type: Spyware
Risk Impact: High
Systems Affected: Windows

Spyware.NetMama is spyware which logs Web sites visited and Internet chat conversations.

When Spyware.NetMama is installed, it creates the following files:
%ProgramFiles%\Provisqz\dAPIs.dll
%ProgramFiles%\Provisqz\gongli.dll
%ProgramFiles%\Provisqz\jet32.dll
%ProgramFiles%\Provisqz\mama.dll
%ProgramFiles%\Provisqz\nbc.exe
%ProgramFiles%\Provisqz\nmmhelper.dll
%ProgramFiles%\Provisqz\nmst.exe
%ProgramFiles%\Provisqz\pch.dll
%CommonProgramFiles%\mmtsb\ebc_net.dll
%CommonProgramFiles%\mmtsb\logi0321.dll
%CommonProgramFiles%\mmtsb\net_m_m.exe
%CommonProgramFiles%\mmtsb\netm0_d.dll
%CommonProgramFiles%\mmtsb\NMimeF.dll
%CommonProgramFiles%\mmtsb\odbc.dll
%CommonProgramFiles%\mmtsb\pptq.dat
%System%\net_3201.dll
%System%\007.css
%System%\esp.bin
%System%\Lgmtapi3201.ini
%System%\main_1537.asa
%System%\nystem_09.dat
%System%\Print_321.dat

In order to run correctly, the application also drops third party components in the %System% folder. A number of registry subkeys are associated with the following files:
%System%\MSInet.ocx
%System%\ImageSee.dll

In addition, a number of registry subkeys are created in association with the application:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D9ED5A8-EDBB-4B42-B549-DD4184E25592}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess\RegisteredApplications\{3C1182F3-442B-4C01-AE0F-99DFEF0B1F9F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess\RegisteredApplications\{51461ACD-9D36-4FAE-B8CC-B228B2B58621}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkCrawler\Objects\WorkgroupCrawler\sesessionPolicy328.23
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}

The risk also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\"CLSID" = "{7D9ED5A8-EDBB-4B42-B549-DD4184E25592}"

The risk may create the following subkeys, if they do not already exist on the computer:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\dnsserver\dns
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\qate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\data\phoner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winamp.File
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winamp.File\shell\open\command

The following registry value is also modified in order to hide installed files and folders:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "1"

The risk adds itself to the following registry entry, so that it will run every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe,c:\program files\provisqz\nmst.exe"

The risk also creates the following folder in which to store logs:
%System%\scr_03

The risk also injects itself into all processes on the computer.

The program registers itself as a Browser Helper Object so that it can monitor Internet activity.

The risk logs all Internet-based keystrokes and URLs typed on the compromised computer.

When a preconfigured password is typed into the computer, the application's main interface is opened. This allows a user to view previously captured data.