Spyware.NetMama

Spyware.NetMama

Updated:
03 July 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.NetMama is spyware which logs Web sites visited and Internet chat conversations.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 May 2017 revision 024
  • Initial Daily Certified version 23 June 2006
  • Latest Daily Certified version 02 May 2017 revision 001
  • Initial Weekly Certified release date 28 June 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.NetMama is spyware which logs Web sites visited and Internet chat conversations.

When Spyware.NetMama is installed, it creates the following files:
%ProgramFiles%\Provisqz\dAPIs.dll
%ProgramFiles%\Provisqz\gongli.dll
%ProgramFiles%\Provisqz\jet32.dll
%ProgramFiles%\Provisqz\mama.dll
%ProgramFiles%\Provisqz\nbc.exe
%ProgramFiles%\Provisqz\nmmhelper.dll
%ProgramFiles%\Provisqz\nmst.exe
%ProgramFiles%\Provisqz\pch.dll
%CommonProgramFiles%\mmtsb\ebc_net.dll
%CommonProgramFiles%\mmtsb\logi0321.dll
%CommonProgramFiles%\mmtsb\net_m_m.exe
%CommonProgramFiles%\mmtsb\netm0_d.dll
%CommonProgramFiles%\mmtsb\NMimeF.dll
%CommonProgramFiles%\mmtsb\odbc.dll
%CommonProgramFiles%\mmtsb\pptq.dat
%System%\net_3201.dll
%System%\007.css
%System%\esp.bin
%System%\Lgmtapi3201.ini
%System%\main_1537.asa
%System%\nystem_09.dat
%System%\Print_321.dat

In order to run correctly, the application also drops third party components in the %System% folder. A number of registry subkeys are associated with the following files:
%System%\MSInet.ocx
%System%\ImageSee.dll

In addition, a number of registry subkeys are created in association with the application:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D9ED5A8-EDBB-4B42-B549-DD4184E25592}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess\RegisteredApplications\{3C1182F3-442B-4C01-AE0F-99DFEF0B1F9F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess\RegisteredApplications\{51461ACD-9D36-4FAE-B8CC-B228B2B58621}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkCrawler\Objects\WorkgroupCrawler\sesessionPolicy328.23
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{184AF5F9-FB5C-4D70-95C8-3613B5DC0E23}

The risk also creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\"CLSID" = "{7D9ED5A8-EDBB-4B42-B549-DD4184E25592}"

The risk may create the following subkeys, if they do not already exist on the computer:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\dnsserver\dns
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\qate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\data\phoner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winamp.File
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winamp.File\shell\open\command

The following registry value is also modified in order to hide installed files and folders:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "1"

The risk adds itself to the following registry entry, so that it will run every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe,c:\program files\provisqz\nmst.exe"

The risk also creates the following folder in which to store logs:
%System%\scr_03

The risk also injects itself into all processes on the computer.

The program registers itself as a Browser Helper Object so that it can monitor Internet activity.

The risk logs all Internet-based keystrokes and URLs typed on the compromised computer.

When a preconfigured password is typed into the computer, the application's main interface is opened. This allows a user to view previously captured data.
`