1. /
  2. Security Response/
  3. Spyware.KGBSpy

Spyware.KGBSpy

Updated:
February 13, 2007 11:44:20 AM
Type:
Spyware
Version:
3.83
Publisher:
ReFog Software
Risk Impact:
Medium
File Names:
Systems.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows XP

When Spyware.KGBSpy is installed, it does the following:
  1. Adds the value:

    "systems.exe" = "%ProgramFiles%\KGB Spy\Systems.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

    Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Adds the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
    KGB Spy
    HKEY_CURRENT_USER\Software\KGB Spy
    HKEY_CLASSES_ROOT\keyfile
    HKEY_CLASSES_ROOT\.key

    HKEY_LOCAL_MACHINE\SOFTWARE\ReFog Software
    HKEY_CURRENT_USER\Software\ASProtect\SpecData
    HKEY_CURRENT_USER\Software\ReFog Software\Keyboard Spectator Pro

  3. Creates the following files and folders:

    • %ProgramFiles%\KGB Spy\Systems.exe (detected as Spyware.KGBSpy).
    • %ProgramFiles%\KGB Spy\systemdll.dll (detected as Hacktool.Keylogger).
    • %ProgramFiles%\KGB Spy\uninstall.ini (Uninstall information).
    • %ProgramFiles%\KGB Spy\uninstall.exe (The uninstaller).
    • %ProgramFiles%\KGB Spy\Help.chm (The spyware help file).
    • %ProgramFiles%\KGB Spy\Readme.txt (Readme file).
    • %ProgramFiles%\KGB Spy\License.txt (The end user license).
    • %ProgramFiles%\KGB Spy\*.lng (messages for specific languages)
    • %ProgramFiles%\KGB Spy\Lang.txt (configuration file)
    • %ProgramFiles%\KGB Spy\FILE_ID.DIZ (text file)
    • %ProgramFiles%\KGB Spy\VisitHomepage.url (URL shortcut)
    • %ProgramFiles%\KGB Spy\BuyOnline.url (URL shortcut)
    • C:\Documents and Settings\All Users\Application Data\KSP (The data storage folder for logfile).
    • C:\Documents and Settings\All Users\Start Menu\Programs\KGB Spy
    • %UserProfile%\Desktop\KGB Spy.lnk (The shorcut file to Systems.exe).
    • %System%\ci0-cabinet.dll (legitimate .dll)

      Notes:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report