1. /
  2. Security Response/
  3. Spyware.ESP

Spyware.ESP

Updated:
March 24, 2006 5:05:56 PM
Type:
Spyware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Spyware.ESP is a spyware program that monitors user activity on the compromised computer, such as applications executed and keystrokes typed. It also takes screenshots of the desktop.

When the risk is installed, it creates the following files:
%UserProfile%\Desktop\ESP Full.lnk
%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full\ESP Full.lnk
%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full\Readme-Help.lnk
%ProgramFiles%\ESP Full\ESP+.exe
%ProgramFiles%\ESP Full\EventScheduler.mdb
%ProgramFiles%\ESP Full\Help.rtf
%ProgramFiles%\ESP Full\riched32.dll
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%Windir%\Installer\[RANDOM].msi (A copy of the original installer.)

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Horizon DataSys Inc.\ESP+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C\F21F7DAC4F34EDE4EB421B1935BEF2C4
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\F21F7DAC4F34EDE4EB421B1935BEF2C4
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}

The risk then adds following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\ESP Full\ESP+"

In order to run, the risk creates and registers the following legitimate third-party .dll files if they don't already exist on the computer:
%System%\actskn43.ocx
%System%\asycfilt.dll
%System%\comcat.dll
%System%\comdlg32.ocx
%System%\dijpg.dll
%System%\mscomct2.ocx
%System%\mscomctl.ocx
%System%\msvbvm60.dll
%System%\msvcrt.dll
%System%\mswinsck.ocx
%System%\oleaut32.dll
%System%\olepro32.dll
%System%\riched32.dll
%System%\richtx32.ocx
%System%\skinboxer43.dll

A number of registry subkeys associated with these .dll files may also be created.

The risk then monitors user activity on the compromised computer, including:
Web sites visited
Applications executed
Files and folders modified
Keystrokes typed
Microsoft Instant Messenger and email traffic

The risk also takes screenshots of the desktop at regular intervals.

Any data logged by the risk may be sent to a predefined email address.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver