Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Spyware.GoldenEye

Spyware.GoldenEye

Updated:
10 February 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Spyware.GoldenEye is spyware that logs keystrokes, lists the names of all running programs, and takes screenshots periodically.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 17 March 2019 revision 016
  • Initial Daily Certified version 29 June 2004 revision 019
  • Latest Daily Certified version 17 March 2019 revision 020
  • Initial Weekly Certified release date 30 June 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.GoldenEye is spyware that logs keystrokes, lists the names of all running programs, and takes screenshots periodically.

It has been reported that Spyware.GoldenEye is distributed as the file, Gesetup.exe.

When the program is executed, it creates the following files:
AGSeyApp.exe
GEHP.dll
BMPtoJPG.dll
KBHOOK.dll
MSCOMCTL.OCX
OLEAUT32.DLL
PICCLP32.OCX
TabCtl32.ocx
Unins000.exe
%USERDESKTOP%\Golden[1-3 SPACES]Eye.lnk

The program allows the person installing it to configure the installation path, log files path, and any hot-key combinations.

The default installation path depends on the version, and can be one of the following:
%ProgramFiles%\AGSeyApp
%ProgramFiles%\AGS8edsApp
%ProgramFiles%\AGSeydsApp
%ProgramFiles%\A8GSdsApp
%ProgramFiles%\AGSedsApp

The default log files path depends on version and can be one of these:
%ProgramFiles%\CommonFiles\SysgeData
%System%\Sys12Data
%System%\Sys52Data
%System%\SysgeData

The program can also create the following files:
%UserProfile%\Application Data\LHGSYFE
%System%\LHGSYFE
%System%\GoldenEye.lnk
%System%\GoldnEye.lnk
%System%\GoldEye.lnk

The default hot key is Ctrl+Alt+Shift+P.

The program adds the following registry entry so that the spyware runs when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"AGSeyApp"="[INSTALLATION PATH]\AGSeyApp.exe"

The program also adds the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\OLEAUT32.DLL" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\MSCOMCTL.OCX" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\TabCtl32.ocx" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\PICCLP32.OCX" = "0x1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\[PATH TO EXECUTABLE]\GEHP.dll" = "0x1"
HKEY_CLASSES_ROOT\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"
HKEY_CLASSES_ROOT\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ToolboxBitmap32\"(Default)"= "[PATH TO EXECUTABLE]\MSCOMCTL.OCX"