Spyware.ESP

Printer Friendly Page

Updated: March 24, 2006 5:05:56 PM
Type: Spyware
Risk Impact: High
Systems Affected: Windows

Behavior

Spyware.ESP is a spyware program that monitors user activity on the compromised computer, such as applications executed and keystrokes typed. It also takes screenshots of the desktop.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version March 24, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date March 29, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: March 24, 2006 5:05:56 PM
Type: Spyware
Risk Impact: High
Systems Affected: Windows


Spyware.ESP is a spyware program that monitors user activity on the compromised computer, such as applications executed and keystrokes typed. It also takes screenshots of the desktop.

When the risk is installed, it creates the following files:
%UserProfile%\Desktop\ESP Full.lnk
%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full\ESP Full.lnk
%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full\Readme-Help.lnk
%ProgramFiles%\ESP Full\ESP+.exe
%ProgramFiles%\ESP Full\EventScheduler.mdb
%ProgramFiles%\ESP Full\Help.rtf
%ProgramFiles%\ESP Full\riched32.dll
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%Windir%\Installer\[RANDOM].msi (A copy of the original installer.)

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Horizon DataSys Inc.\ESP+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C\F21F7DAC4F34EDE4EB421B1935BEF2C4
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\F21F7DAC4F34EDE4EB421B1935BEF2C4
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}

The risk then adds following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\ESP Full\ESP+"

In order to run, the risk creates and registers the following legitimate third-party .dll files if they don't already exist on the computer:
%System%\actskn43.ocx
%System%\asycfilt.dll
%System%\comcat.dll
%System%\comdlg32.ocx
%System%\dijpg.dll
%System%\mscomct2.ocx
%System%\mscomctl.ocx
%System%\msvbvm60.dll
%System%\msvcrt.dll
%System%\mswinsck.ocx
%System%\oleaut32.dll
%System%\olepro32.dll
%System%\riched32.dll
%System%\richtx32.ocx
%System%\skinboxer43.dll

A number of registry subkeys associated with these .dll files may also be created.

The risk then monitors user activity on the compromised computer, including:
Web sites visited
Applications executed
Files and folders modified
Keystrokes typed
Microsoft Instant Messenger and email traffic

The risk also takes screenshots of the desktop at regular intervals.

Any data logged by the risk may be sent to a predefined email address.