||||
Symantec.com > Security Response > Threats and Risks > Spyware.Spy-Guard
PRINT THIS PAGE

Spyware.Spy-Guard

Printer Friendly Page

Updated: February 13, 2007 11:48:21 AM
Type: Spyware
Publisher: SpyGuard
Risk Impact: High
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.Spy-Guard is installed, it performs the following actions:
  1. Creates the following files:

    • %CurrentFolder%\MSFLXGRD.OCX (This is a non-malicious component that may be used by other applications.)
    • %CurrentFolder%\TABCTL32.ocx (This is a non-malicious component that may be used by other applications.)
    • %CurrentFolder%\MSSTDFMT.DLL (This is a non-malicious component that may be used by other applications.)
    • %CurrentFolder%\MSVBVM60.DLL (This is a non-malicious component that may be used by other applications.)
    • %CurrentFolder%\STDFTFR.DLL (This is a non-malicious component that may be used by other applications.)
    • %CurrentFolder%\STDOLE2.TLB (This is a non-malicious component that may be used by other applications.)
    • %CurrentFolder%\svcmon.exe
    • %CurrentFolder%\setup.bat
    • %CurrentFolder%\Installation.txt
    • %CurrentFolder%\license_condition d'utilisation.txt
    • %System%\esys.dll
    • %System%\Flxgdfr.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\Msflxgrd.ocx (This is a non-malicious component that may be used by other applications.)
    • %System%\Msstdfmt.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\stdftfr.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\Tabctfr.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\Tabctl32.ocx (This is a non-malicious component that may be used by other applications.)
    • %System%\Vb6fr.dll (This is a non-malicious component that may be used by other applications.)
    • %System%\Vb6stkit.dll (This is a non-malicious component that may be used by other applications.)

      Note:
    • %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following folders:

    • %CurrentFolder%\win_95_98
    • %CurrentFolder%\win2000
    • %CurrentFolder%\win_me
    • %CurrentFolder%\win_xp

  3. Adds the value:

    "svcmon" = "%CurrentFolder%\svcmon.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

    Note: The risk also creates numerous legitimate registry entries associated with the non-malicious components that are installed by it.

  4. Logs keystrokes and monitors user activity, such as Web sites visited. This risk also allows users the ability to block access to specific Web sites.


Search by name
Example: W32.Beagle.AG@mm
Learn more about Zero-Day / Operation Aurora / Hydraq
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS