Threat Information for "Trojan.PWS.GoldSpy"
| Summary | Top |
- Name: Trojan.PWS.GoldSpy
- Aliases:
- Date Discovered: 2006-09-26
- Protection Added: 2006-09-27
| Description | Top |
-- Ease of Removal 1: Creates new registry entries with consistent data 2: Consistent file contents 3: Consistently named 4: Uses rootkit functionality 5: Runs as a BHO or shell extension 6: Runs as a service 7: Injects DLLs into running processes 8: Uses redundant/watcher processes 9: Uses running processes -- Privacy Risks/Security Changes 1: Logs browsing habits and visited websites 2: Mimics legitimate file names 3: Transmits personal data to remote computers 4: Harvests personal data -- Damage/Intrusion/Annoyance 1: Modifies critical registry entries 2: Displays targeted popup advertisements 3: Changes personal browser settings 4: Changes browser search settings 5: Changes browser home page 6: Displays error messages due to buggy code -- Propagation/Saturation 1: Infects with other exploitation method
| Technical Details | Top |
- Added Directory/File:
FilePath: %SYSTEMDIR%\upperhost.dll - Added Directory/File:
FilePath: %SYSTEMDIR%\CsdDriver.sys - Added Registry Key:
Key: HKLM\SYSTEM\CurrentControlSet\Services\CsdDriver - Added Registry Key:
Key: HKCR\CLSID\{523455E4-ABCD-ABCD-1114-D709ADD3DDAB} - Added Registry Key:
Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CSDDRIVER - Added Registry Key:
Key: HKLM\SOFTWARE\Classes\CLSID\{523455E4-ABCD-ABCD-1114-D709ADD3DDAB} - Added Registry Value:
Key: HKLM\%CURRENTVERSIONREG%\ShellServiceObjectDelayLoad Value: UpperHost - Added Registry Data:
Key: HKLM\SOFTWARE\Classes\CLSID\*\InProcServer32 Value: [RANDOM VALUE] Data: UpperHost.dll
