Spyware.ESP

Spyware.ESP

Updated:
24 March 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.ESP is a spyware program that monitors user activity on the compromised computer, such as applications executed and keystrokes typed. It also takes screenshots of the desktop.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 24 March 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 29 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.ESP is a spyware program that monitors user activity on the compromised computer, such as applications executed and keystrokes typed. It also takes screenshots of the desktop.

When the risk is installed, it creates the following files:
%UserProfile%\Desktop\ESP Full.lnk
%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full\ESP Full.lnk
%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full\Readme-Help.lnk
%ProgramFiles%\ESP Full\ESP+.exe
%ProgramFiles%\ESP Full\EventScheduler.mdb
%ProgramFiles%\ESP Full\Help.rtf
%ProgramFiles%\ESP Full\riched32.dll
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}\_[RANDOM].exe
%Windir%\Installer\[RANDOM].msi (A copy of the original installer.)

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Horizon DataSys Inc.\ESP+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C\F21F7DAC4F34EDE4EB421B1935BEF2C4
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\F21F7DAC4F34EDE4EB421B1935BEF2C4
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\8222F165E61AE07448C5AE79CE44F64C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software\ESP Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Start Menu\Programs\Horizon DataSys Inc. Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\%UserProfile%\Application Data\Microsoft\Installer\{CAD7F12F-43F4-4EDE-BE24-B19153EB2F4C}

The risk then adds following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSRegScan" = "C:\Program Files\ESP Full\ESP+"

In order to run, the risk creates and registers the following legitimate third-party .dll files if they don't already exist on the computer:
%System%\actskn43.ocx
%System%\asycfilt.dll
%System%\comcat.dll
%System%\comdlg32.ocx
%System%\dijpg.dll
%System%\mscomct2.ocx
%System%\mscomctl.ocx
%System%\msvbvm60.dll
%System%\msvcrt.dll
%System%\mswinsck.ocx
%System%\oleaut32.dll
%System%\olepro32.dll
%System%\riched32.dll
%System%\richtx32.ocx
%System%\skinboxer43.dll

A number of registry subkeys associated with these .dll files may also be created.

The risk then monitors user activity on the compromised computer, including:
Web sites visited
Applications executed
Files and folders modified
Keystrokes typed
Microsoft Instant Messenger and email traffic

The risk also takes screenshots of the desktop at regular intervals.

Any data logged by the risk may be sent to a predefined email address.
`