Spyware.EarSpy

Spyware.EarSpy

Updated:
23 March 2006
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

Spyware.EarSpy is a spyware program that allows users to remotely log keystrokes and record snapshots on the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 02 October 2014 revision 022
  • Initial Daily Certified version 23 March 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 29 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.EarSpy is a spyware program that allows users to remotely log keystrokes and record snapshots on the compromised computer.

Once the risk is installed, it creates the following files:
C:\Program Files\EarSpy\.url
C:\Program Files\EarSpy\ESviewer.exe
C:\Program Files\EarSpy\License.txt
C:\Program Files\EarSpy\unins000.dat
C:\Program Files\EarSpy\unins000.exe
C:\WINDOWS\ESClient.exe
%UserProfile%\Start Menu\Programs\EarSpy\EarSpy Server.lnk
%UserProfile%\Start Menu\Programs\EarSpy\EarSpy Viewer.lnk
%UserProfile%\Start Menu\Programs\EarSpy\License.lnk
%UserProfile%\Start Menu\Programs\EarSpy\menu.lnk
C:\WINDOWS\system32\OLD4.tmp
C:\WINDOWS\system32\OLD7.tmp
C:\WINDOWS\is-RA1L5.exe
C:\WINDOWS\is-RA1L5.lst

The risk also creates the following nonmalicious components that may be used by other programs:
C:\WINDOWS\system32\dllcache\asycfilt.dll
C:\WINDOWS\system32\dllcache\olepro32.dll
C:\WINDOWS\system32\ARButton.ocx
C:\WINDOWS\system32\Enthread.dll
C:\WINDOWS\system32\hwtlb.tlb
C:\WINDOWS\system32\ijl15.dll
C:\WINDOWS\system32\is-19DRT.tmp
C:\WINDOWS\system32\MSVBVM60.dll
C:\WINDOWS\system32\Mswinsck.ocx
C:\WINDOWS\LastGood\system32\asycfilt.dll
C:\WINDOWS\LastGood\system32\olepro32.dll

The risk then creates the following folders:
C:\Program Files\EarSpy
%UserProfile%\Start Menu\Programs\EarSpy

Next, the risk creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Logolp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EarSpy_is1
HKEY_ALL_USERS\SOFTWARE\VB
HKEY_ALL_USERS\SOFTWARE\VBA Program Settings\EarSpyViewer

The risk also creates numerous legitimate registry subkeys associated with the nonmalicious components it creates.

The risk then logs keystrokes and monitors user activity on the compromised computer.
`