1. /
  2. Security Response/
  3. Spyware.EyeSpyPro

Spyware.EyeSpyPro

Updated:
February 13, 2007 11:47:59 AM
Type:
Spyware
Publisher:
Low Budget Designs
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once Spyware.EyeSpyPro is executed, it performs the following actions:
  1. Creates the following files:

    • %UserProfile%\Desktop\Eye Spy Pro Demo.lnk
    • %UserProfile%\Start Menu\Programs\Low Budget Designs Software\Eye Spy Pro Demo\Eye Spy Pro Demo.lnk
    • %UserProfile%\Start Menu\Programs\Low Budget Designs Software\Eye Spy Pro Demo\Readme-Help.lnk
    • %ProgramFiles%\ESP Demo\ESPDemo.exe
    • %ProgramFiles%\ESP Demo\EventScheduler.mdb
    • %ProgramFiles%\ESP Demo\EventScheduler.ldb
    • %ProgramFiles%\ESP Demo\Help.rtf
    • %ProgramFiles%\ESP Demo\riched32.dll
    • %Windir%\Installer\[RANDOM CHARACTERS].msi
    • %System%\actskn43.ocx (This is a non-malicious component that may be used by other applications.)
    • %System%\dijpg.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\richtx32.ocx (This is a non-malicious component that may be used by other applications.)
    • %System%\skinboxer43.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\comdlg32.ocx (This is a non-malicious component that may be used by other applications.)
    • %System%\mscomct2.ocx (This is a non-malicious component that may be used by other applications.)
    • %System%\mscomctl.ocx (This is a non-malicious component that may be used by other applications.
    • %System%\mswinsck.ocx (This is a non-malicious component that may be used by other applications.)

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following folders:

    • %UserProfile%\Application Data\Microsoft\Installer\{F1C0A4FD-6141-4C41-98F3-93A8E2F48653} (The threat creates numerous files, with the file name [RANDOM FILE NAME].exe, in this folder.)
    • %ProgramFiles%\ESP Demo\projects (This folder may contain more randomly named folders which contain the data that is gathered by the threat.
    • %ProgramFiles%\ESP Demo\temp

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
    \UserData\%CURRENT_USER%\Products\DF4A0C1F141614C4893F398A2E4F6835
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    \{{F1C0A4FD-6141-4C41-98F3-93A8E2F48653}
    HKEY_LOCAL_MACHINE\SOFTWARE\Low Budget Designs\Eye Spy Pro
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Modules\[RANDOM CHARACTERS]
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Installer\UpgradeCodes\2976337D88F028446BDB7AC4A26922A9
    HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
    \DF4A0C1F141614C4893F398A2E4F6835
    HKEY_CURRENT_USER\Software\Microsoft\Installer\Products
    \DF4A0C1F141614C4893F398A2E4F6835
    HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes
    \DF4A0C1F141614C4893F398A2E4F6835


  4. Adds the value:

    "c:\Documnets and Settings\%CURRENT_USER%\Start Menu\Programs\Low Budget Designs Software" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

  5. Adds the value:

    "c:\Documnets and Settings\%CURRENT_USER%\Start Menu\ProgramsLow Budget Designs Software\Eys Spy Pro Demo" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

  6. Adds the value:

    "c:\Program Files\Esp Dem" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

  7. Adds the value:

    "MSRegScan" = "c:\Program Files\ESP Demo\ESPDemo.exe"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


  8. Monitors user activity on the compromised computer, logs keystrokes, and captures screenshots.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver