Updated: February 13, 2007 11:45:49 AM
Type: Spyware
Version: 2.0
Publisher: eSunSoft
Risk Impact: High
File Names:
espynow.exe
SVCH0ST.EXE
ESNOWUN.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Spyware.EliteKeylogger is installed, it does the following:
- Creates the following files:
- %UserProfile%\Start Menu\Programs\eSpyNow v2.0\Remove eSpyNow v2.0.lnk
- %UserProfile%\Desktop\espynow.exe
- %System%\DIjpg.dll
- %System%\eSpyNow-v2.0\BlockApplicationWindow.spy
- %System%\eSpyNow-v2.0\BlockKeyWatch.spy
- %System%\eSpyNow-v2.0\BlockUserFilter.spy
- %System%\eSpyNow-v2.0\BlockWebMonitoringWindow.spy
- %System%\eSpyNow-v2.0\ESNOWUN.dll
- %System%\eSpyNow-v2.0\eSpyNowFirstRunWindow.htm
- %System%\eSpyNow-v2.0\eSpyNowWindow.htm
- %System%\eSpyNow-v2.0\SVCH0ST.EXE
- %System%\eSpyNow-v2.0\uninstal.log
- %System%\RICHTX32.OCX
- %System%\tabctl32.ocx
- %System%\xzipper30.ocx
- %Windir%\unvise32.exe
Notes:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{3B7C8860-D78F-101B-B9B5-04021C009402}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{78E5A540-1850-11CF-9D53-00AA003C9CB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{849A4AB0-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{AFC634B0-4B8B-11CF-8989-00AA00688B10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{B617B991-A767-4F05-99BA-AC6FCABB102E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{3B7C8862-D78F-101B-B9B5-04021C009402}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{849A4AAC-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{849A4AAE-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{859321D0-3FD1-11CF-8981-00AA00688B10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{ED117630-4090-11CF-8981-00AA00688B10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{3B7C8863-D78F-101B-B9B5-04021C009402}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{849A4AAB-92BF-11D4-AAD4-9EB3504E5079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xzipper30.xzipper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
eSpyNow v2.0
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Aff_eSpyNow.v1
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\eSpyNow
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\eSpyNow-16-09-2003-v2.0
- Adds the value:
"reg2.0" = "%System%\eSpyNow-v2.0\SVCH0ST.EXE"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
- Modifies the value:
"(Default)" = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib
- Monitors Internet activity, logs key strokes, and captures screenshots.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
