Spyware.Ghostlog

Printer Friendly Page

Updated: March 22, 2006 2:22:38 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows

Behavior

Spyware.Ghostlog is a commercial Spyware application that records keystrokes, IM conversations, and URLs visited on the compromised computer. It stores this information locally to be viewed later by a third party.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version March 22, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date March 29, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: March 22, 2006 2:22:38 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows

Spyware.Ghostlog is a commercial Spyware application that records keystrokes, IM conversations and URLs visited on the compromised computer. It stores this information locally to be viewed later by a third party.

Once executed, it creates the following files:
%SystemDrive%\Win_sys\GhostLog\acwahook.dll
%SystemDrive%\Win_sys\GhostLog\GhostLog.rtf
%SystemDrive%\Win_sys\GhostLog\GLSetup.exe
%SystemDrive%\Win_sys\GhostLog\Logs\EmptyLog.glg
%SystemDrive%\Win_sys\GhostLog\Logs\glap.cfg
%SystemDrive%\Win_sys\GhostLog\Logs\glhelp.html
%SystemDrive%\Win_sys\GhostLog\Logs\Log.glg
%SystemDrive%\Win_sys\GhostLog\syssafe.exe
%SystemDrive%\Win_sys\GhostLog\unins000.dat
%SystemDrive%\Win_sys\GhostLog\unins000.exe

It will also create a number of empty folders in the folder %SystemDrive%\Win_sys. These folders are given common Windows folder names presumably to trick users into thinking that these are legitimate Windows folder. Examples include inetsrv, drivers and dllcache.

The risk then creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysSafe Light_is1
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Brazos volatile counter (This is a legitimate key.)
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process [PROCESS ID] Thread [THREAD ID] DBC [DBC ID] Excel (This is a legitimate key.)
HKEY_LOCAL_MACHINE\SOFTWARE\Izosoft

The risk then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"KeyLogger" = "C:\Win_sys\GhostLog\syssafe.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"KeyLogger" = "C:\Win_sys\GhostLog\syssafe.exe"

The risk will then monitor keystrokes, Web sites visited, and IM chat messages on the compromised computer. The application can also store passwords and runs in stealth mode.