Spyware.Ghostlog

Spyware.Ghostlog

Updated:
22 March 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Spyware.Ghostlog is a commercial Spyware application that records keystrokes, IM conversations, and URLs visited on the compromised computer. It stores this information locally to be viewed later by a third party.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 02 October 2014 revision 022
  • Initial Daily Certified version 22 March 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 29 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.Ghostlog is a commercial Spyware application that records keystrokes, IM conversations and URLs visited on the compromised computer. It stores this information locally to be viewed later by a third party.

Once executed, it creates the following files:
%SystemDrive%\Win_sys\GhostLog\acwahook.dll
%SystemDrive%\Win_sys\GhostLog\GhostLog.rtf
%SystemDrive%\Win_sys\GhostLog\GLSetup.exe
%SystemDrive%\Win_sys\GhostLog\Logs\EmptyLog.glg
%SystemDrive%\Win_sys\GhostLog\Logs\glap.cfg
%SystemDrive%\Win_sys\GhostLog\Logs\glhelp.html
%SystemDrive%\Win_sys\GhostLog\Logs\Log.glg
%SystemDrive%\Win_sys\GhostLog\syssafe.exe
%SystemDrive%\Win_sys\GhostLog\unins000.dat
%SystemDrive%\Win_sys\GhostLog\unins000.exe

It will also create a number of empty folders in the folder %SystemDrive%\Win_sys. These folders are given common Windows folder names presumably to trick users into thinking that these are legitimate Windows folder. Examples include inetsrv, drivers and dllcache.

The risk then creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysSafe Light_is1
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Brazos volatile counter (This is a legitimate key.)
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process [PROCESS ID] Thread [THREAD ID] DBC [DBC ID] Excel (This is a legitimate key.)
HKEY_LOCAL_MACHINE\SOFTWARE\Izosoft

The risk then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"KeyLogger" = "C:\Win_sys\GhostLog\syssafe.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"KeyLogger" = "C:\Win_sys\GhostLog\syssafe.exe"

The risk will then monitor keystrokes, Web sites visited, and IM chat messages on the compromised computer. The application can also store passwords and runs in stealth mode.
`