Spyware.EMailObserver

Spyware.EMailObserver

Updated:
April 27, 2006
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

Spyware.EMailObserver is a spyware program that will invisibly copy all outgoing emails and accurately sends them to an email address.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version April 27, 2006
  • Latest Daily Certified version March 09, 2011 revision 002
  • Initial Weekly Certified release date May 03, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.EMailObserver is a spyware program that will invisibly copy all outgoing emails and accurately sends them to an email address.

When the risk is installed, it creates the following files:
C:\Program Files\EmailObserver\emos.exe
C:\Program Files\EmailObserver\emoshelp.chm
C:\Program Files\EmailObserver\license.txt
C:\WINDOWS\SYSTEM32\emos.exe
C:\WINDOWS\SYSTEM32\drivers\emos.sys
C:\WINDOWS\Help\emoshelp.chm
%UserProfile%\Start Menu\Programs\EmailObserver\EmailObserver Help.lnk
%UserProfile%\Start Menu\Programs\EmailObserver\EmailObserver License.lnk
%UserProfile%\Start Menu\Programs\EmailObserver\EmailObserver.lnk
%UserProfile%\Start Menu\Programs\EmailObserver\Uninstall EmailObserver.lnk

The risk creates the following folders:
C:\Program Files\EmailObserver
%UserProfile%\Start Menu\Programs\EmailObserver

Next, the risk creates the following registry entry,so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run\"EmailObserver" = "C:\WINDOWS\system32\emos.exe /config"

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EmailObserver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\emos
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\emossrv

The risk then copies all outgoing emails and accurately sends them to a secret email address.