Spyware.Canary

Spyware.Canary

Updated:
22 May 2006
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

Spyware.Canary is a spyware program that logs all keystrokes and Internet activity.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 02 October 2014 revision 022
  • Initial Daily Certified version 23 May 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 24 May 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.Canary is a spyware program that logs all keystrokes and Internet activity.

When the risk is installed, it creates the following files:
C:\WINDOWS\active_skin.ini
C:\WINDOWS\canary-std.exe
C:\WINDOWS\CRS.GIF
C:\WINDOWS\languages.ini
C:\WINDOWS\settings-std.exe
C:\WINDOWS\SKINS.INI
C:\WINDOWS\update1.dat

The risk also creates the following legitimate files:
C:\WINDOWS\TimeDate.dll
C:\WINDOWS\Skins.exe
C:\WINDOWS\VDSBRW50.DLL
C:\WINDOWS\VDSCRYPT.DLL
C:\WINDOWS\VDSGUI.DLL
C:\WINDOWS\VDSRUN50.DLL

Next the risk creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run\"Canary" = "canary-std.exe"

Also creates the following registry keys associated with the following legitimate dlls:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSRUN50.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\TimeDate.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSBRW50.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSCRYPT.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSGUI.DLL" = "1"

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\canary
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\crs-cls

The risk then logs all keystrokes and Internet activity.
Writeup By: Unknown