||||
Symantec.com > Security Response > Threats and Risks > Spyware.GoldenEye
PRINT THIS PAGE

Spyware.GoldenEye

Printer Friendly Page

Updated: February 10, 2006 5:36:32 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000


Spyware.GoldenEye is spyware that logs keystrokes, lists the names of all running programs, and takes screenshots periodically.

It has been reported that Spyware.GoldenEye is distributed as the file, Gesetup.exe.

When the program is executed, it creates the following files:
AGSeyApp.exe
GEHP.dll
BMPtoJPG.dll
KBHOOK.dll
MSCOMCTL.OCX
OLEAUT32.DLL
PICCLP32.OCX
TabCtl32.ocx
Unins000.exe
%USERDESKTOP%\Golden[1-3 SPACES]Eye.lnk

The program allows the person installing it to configure the installation path, log files path, and any hot-key combinations.

The default installation path depends on the version, and can be one of the following:
%ProgramFiles%\AGSeyApp
%ProgramFiles%\AGS8edsApp
%ProgramFiles%\AGSeydsApp
%ProgramFiles%\A8GSdsApp
%ProgramFiles%\AGSedsApp

The default log files path depends on version and can be one of these:
%ProgramFiles%\CommonFiles\SysgeData
%System%\Sys12Data
%System%\Sys52Data
%System%\SysgeData

The program can also create the following files:
%UserProfile%\Application Data\LHGSYFE
%System%\LHGSYFE
%System%\GoldenEye.lnk
%System%\GoldnEye.lnk
%System%\GoldEye.lnk

The default hot key is Ctrl+Alt+Shift+P.

The program adds the following registry entry so that the spyware runs when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"AGSeyApp"="[INSTALLATION PATH]\AGSeyApp.exe"

The program also adds the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\OLEAUT32.DLL" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\MSCOMCTL.OCX" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\TabCtl32.ocx" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\PICCLP32.OCX" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\GEHP.dll" = "0x1"
HKEY_CLASSES_ROOT\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS