Difference between revisions of "CodeStoreDB"

From SpybotWiki
Jump to: navigation, search
(added info box)
(Usage: added var types)
 
Line 12: Line 12:
  
 
==Usage==
 
==Usage==
  CodeStoreDB:<part of url>[,advanced build parameters]
+
  CodeStoreDB:<urlpart(string)>[,advanced build parameters]
  
 
===Examples===
 
===Examples===

Latest revision as of 16:09, 22 February 2008

CodeStoreDB
Group Registry
Main Application Version 1.3 or later
Required Update n/a
File Parameters no
Registry Parameters no
Build Parameters yes (second)
Special Parameters no
This SBI command is outdated and will probably not be supported in Spybot-S&D 2.0. As of yet, it is unclear whether an automated conversion path exists. Automated conversion paths may also be less sufficient than a manual upgrade. We recommend that you take a look at RegyKey for a possible alternative command.

If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the used URL.

Usage

CodeStoreDB:<urlpart(string)>[,advanced build parameters]

Examples

CodeStoreDB:"download.spyware.com"

This search would identify the following entry in the Code Store Database:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{44332211-00AA-BBCC-DDEE-FF5566778899}\DownloadInformation]
"CODEBASE"="http://download.spyware.com/archive.cab"

Description

If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.

Using the RegyKey SBI Command along with the proper advanced registry parameters would do the same, but also allow you to use Algo-Prefixes to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most popular example would be that gator.com would also identify newsgator.com, a false positive that happened some years ago).

Take special care when the installer includes newer version of system files, as some badly written DPFs do, since these files would get flagged as well.

Scan Results

  • DPF registry entries that were identified.
  • The associated files mentioned in the registry key (under the \Contains\Files\ subkey).

See also

Similar commands