CodeStoreDB
This SBI command is outdated and will probably not be supported in Spybot-S&D 2.0. As of yet, it is unclear whether an automated conversion path exists. Automated conversion paths may also be less sufficient than a manual upgrade. We recommend that you take a look at RegyKey for a possible alternative command. |
If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the used URL.
Usage
CodeStoreDB:<part of url>[,advanced build parameters]
Examples
CodeStoreDB:"download.spyware.com"
This search would identify the following entry in the Code Store Database:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{44332211-00AA-BBCC-DDEE-FF5566778899}\DownloadInformation] "CODEBASE"="http://download.spyware.com/archive.cab"
Description
If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.
- The first and only parameter specifies a substring of the URL. After 1.5.2, Algo-Prefixes will be supported here as well. AP
Using the RegyKey SBI Command along with the proper advanced registry parameters would do the same, but also allow you to use Algo-Prefixes to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most popular example would be that gator.com would also identify newsgator.com, a false positive that happened some years ago).
Take special care when the installer includes newer version of system files, as some badly written DPFs do, since these files would get flagged as well.
Scan Results
- DPF registry entries that were identified.
- The associated files mentioned in the registry key (under the \Contains\Files\ subkey).