F-Secure Malware Information Pages: Trojan-Spy:W32/KeyLogger.RM

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Trojan-Spy:W32/KeyLogger.RM

[Summary] \| [Detailed Description] \| [Detection]
Name :	Trojan-Spy:W32/KeyLogger.RM
Alias:	Trojan-Spy.Win32.KeyLogger.rl, Trojan-Spy.Win32.KeyLogger.rm, Trojan-Spy.Win32.KeyLogger.rk
Type:	Trojan-Spy
Category:	Malware
Platform:	W32
Date of Discovery:	October 28, 2007

Radar

Summary

This is a key-logging trojan that logs all the keystrokes of the user and sends them to a particular website.

Back to the Top

Detailed Description

This malware may arrive as an attachment labeled as a Microsoft Word RTF file.

Upon Execution, this malware displays the following fake error message:

It then drops the following files on Windows System folder:

%systemdir%\GenuineLicence.exe
Detected as Trojan-Spy.Win32.KeyLogger.rk
%systemdir%\kbd.dll
Detected as Trojan-Spy.Win32.KeyLogger.rk
%systemdir%\test.dll
Detected as Trojan-Spy.Win32.KeyLogger.rl

Note: %systemdir% by default is C:\Windows\system32

It also creates the following registry key as part of its auto-start mechanism:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
service = "C:\WINDOWS\system32\GenuineLicence.exe"

Initially, it will try to contact this URL to set the infected machine's status

http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php

Then this malware sends the user's keystrokes including its ip address to this URL:

http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php

Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2007-10-29_07.

Back to the Top

F-Secure Corporation

Last Modified: October 31, 2007