Threat Explorer
The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.
Spyware.Canary
Spyware.Canary
- Updated:
- May 22, 2006
- Risk Impact:
- Medium
- Systems Affected:
- Windows
Antivirus Protection Dates
- Initial Rapid Release version October 02, 2014 revision 022
- Latest Rapid Release version October 02, 2014 revision 022
- Initial Daily Certified version May 23, 2006
- Latest Daily Certified version September 28, 2010 revision 036
- Initial Weekly Certified release date May 24, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.Canary is a spyware program that logs all keystrokes and Internet activity.
When the risk is installed, it creates the following files:
C:\WINDOWS\active_skin.ini
C:\WINDOWS\canary-std.exe
C:\WINDOWS\CRS.GIF
C:\WINDOWS\languages.ini
C:\WINDOWS\settings-std.exe
C:\WINDOWS\SKINS.INI
C:\WINDOWS\update1.dat
The risk also creates the following legitimate files:
C:\WINDOWS\TimeDate.dll
C:\WINDOWS\Skins.exe
C:\WINDOWS\VDSBRW50.DLL
C:\WINDOWS\VDSCRYPT.DLL
C:\WINDOWS\VDSGUI.DLL
C:\WINDOWS\VDSRUN50.DLL
Next the risk creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run\"Canary" = "canary-std.exe"
Also creates the following registry keys associated with the following legitimate dlls:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSRUN50.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\TimeDate.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSBRW50.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSCRYPT.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSGUI.DLL" = "1"
The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\canary
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\crs-cls
The risk then logs all keystrokes and Internet activity.
When the risk is installed, it creates the following files:
C:\WINDOWS\active_skin.ini
C:\WINDOWS\canary-std.exe
C:\WINDOWS\CRS.GIF
C:\WINDOWS\languages.ini
C:\WINDOWS\settings-std.exe
C:\WINDOWS\SKINS.INI
C:\WINDOWS\update1.dat
The risk also creates the following legitimate files:
C:\WINDOWS\TimeDate.dll
C:\WINDOWS\Skins.exe
C:\WINDOWS\VDSBRW50.DLL
C:\WINDOWS\VDSCRYPT.DLL
C:\WINDOWS\VDSGUI.DLL
C:\WINDOWS\VDSRUN50.DLL
Next the risk creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run\"Canary" = "canary-std.exe"
Also creates the following registry keys associated with the following legitimate dlls:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSRUN50.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\TimeDate.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSBRW50.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSCRYPT.DLL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\VDSGUI.DLL" = "1"
The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\canary
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\crs-cls
The risk then logs all keystrokes and Internet activity.
