NETObserve

Posted: March 28, 2006

NETObserve is a powerful remote administration tool with a rich set of functions. NETObserve is a legitimate and quite popular product. It can be used to remotely control the affected PC, browse its file computer, manage its files and processes, modify essential computer and networking settings. The application also tracks user and computer activity, logs all keystrokes, takes screenshots, captures pictures from a webcam, records online chat conversations and addresses of visited web sites. NETObserve is controlled through the web interface. The RAT can hide its running processes and use different techniques to avoid detection. The threat runs on every Windows startup.

File System Modifications

The following files were created in the system:

# File Name

1 broadcast.exe

2 easys.dll

3 no32mon.exe

4 nosys32.dll

5 syscap32.dll

#	File Name
1	broadcast.exe
2	easys.dll
3	no32mon.exe
4	nosys32.dll
5	syscap32.dll

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINESOFTWAREExploreAnywhereSoftwareNOuy_url=[siteaddress]HKEY_LOCAL_MACHINESOFTWAREExploreAnywhereSoftwareNOsite_url=[siteaddress]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun1sys32cfgHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDlls\%Windir%unvise32.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallNETObserve[XVS]

NETObserve

File System Modifications

Registry Modifications

Leave a Reply