Spyware.MailRedirector

Spyware.MailRedirector

Updated:
20 March 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.MailRedirector is spyware designed to monitor the target computer's email client and send a copy of outgoing emails to a predefined email address. The risk is not designed to work with Web-based email services.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 02 October 2014 revision 022
  • Initial Daily Certified version 15 March 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 15 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.MailRedirector is spyware designed to monitor the target computer's email client and send a copy of outgoing emails to a predefined email address. The risk is not designed to work with Web-based email services.

When the security risk program is installed, it creates the following files:
%System%\drivers\vmaser.exe
%System%\drivers\vmaser.sys

It also creates the following registry entry so that the application runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"ASER"= "%System%\drivers\vmaser.exe"

The risk creates the following service, so that the application can monitor SMTP traffic (uses TCP port 25 by default):
Service Name: vmaser
Display Name: vmaser

The following registry key is associated with the vmaser service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VMASER

The risk also modifies the following registry entry so that the NetBios over Tcpip service is dependent upon the risk created service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\"DependOnService"="Tcpip vmaser"

Upon installation, the application monitors SMTP traffic from the compromised computer. It parses SMTP headers and forwards a copy of each email sent from the machine, by using its own SMTP server which the application installs locally.