Spyware.GoldenEye

Printer Friendly Page

Updated: February 10, 2006 5:36:32 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows

Behavior

Spyware.GoldenEye is spyware that logs keystrokes, lists the names of all running programs, and takes screenshots periodically.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version April 17, 2018 revision 036
  • Initial Daily Certified version June 29, 2004 revision 019
  • Latest Daily Certified version April 18, 2018 revision 005
  • Initial Weekly Certified release date June 30, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 10, 2006 5:36:32 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows


Spyware.GoldenEye is spyware that logs keystrokes, lists the names of all running programs, and takes screenshots periodically.

It has been reported that Spyware.GoldenEye is distributed as the file, Gesetup.exe.

When the program is executed, it creates the following files:
AGSeyApp.exe
GEHP.dll
BMPtoJPG.dll
KBHOOK.dll
MSCOMCTL.OCX
OLEAUT32.DLL
PICCLP32.OCX
TabCtl32.ocx
Unins000.exe
%USERDESKTOP%\Golden[1-3 SPACES]Eye.lnk

The program allows the person installing it to configure the installation path, log files path, and any hot-key combinations.

The default installation path depends on the version, and can be one of the following:
%ProgramFiles%\AGSeyApp
%ProgramFiles%\AGS8edsApp
%ProgramFiles%\AGSeydsApp
%ProgramFiles%\A8GSdsApp
%ProgramFiles%\AGSedsApp

The default log files path depends on version and can be one of these:
%ProgramFiles%\CommonFiles\SysgeData
%System%\Sys12Data
%System%\Sys52Data
%System%\SysgeData

The program can also create the following files:
%UserProfile%\Application Data\LHGSYFE
%System%\LHGSYFE
%System%\GoldenEye.lnk
%System%\GoldnEye.lnk
%System%\GoldEye.lnk

The default hot key is Ctrl+Alt+Shift+P.

The program adds the following registry entry so that the spyware runs when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"AGSeyApp"="[INSTALLATION PATH]\AGSeyApp.exe"

The program also adds the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\OLEAUT32.DLL" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\MSCOMCTL.OCX" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\TabCtl32.ocx" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\PICCLP32.OCX" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\GEHP.dll" = "0x1"
HKEY_CLASSES_ROOT\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"