Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-Spy:W32/KeyLogger.RM

[Summary] | [Detailed Description] | [Detection]

Name : Trojan-Spy:W32/KeyLogger.RM
Alias:Trojan-Spy.Win32.KeyLogger.rl, Trojan-Spy.Win32.KeyLogger.rm, Trojan-Spy.Win32.KeyLogger.rk
Type:Trojan-Spy
Category:Malware
Platform:W32
Date of Discovery:October 28, 2007
Radar

Summary
This is a key-logging trojan that logs all the keystrokes of the user and sends them to a particular website.
Back to the Top

Detailed Description
This malware may arrive as an attachment labeled as a Microsoft Word RTF file.

Upon Execution, this malware displays the following fake error message:



It then drops the following files on Windows System folder:

  • %systemdir%\GenuineLicence.exe
    Detected as Trojan-Spy.Win32.KeyLogger.rk
  • %systemdir%\kbd.dll
    Detected as Trojan-Spy.Win32.KeyLogger.rk
  • %systemdir%\test.dll
    Detected as Trojan-Spy.Win32.KeyLogger.rl

Note: %systemdir% by default is C:\Windows\system32

It also creates the following registry key as part of its auto-start mechanism:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    service = "C:\WINDOWS\system32\GenuineLicence.exe"

Initially, it will try to contact this URL to set the infected machine's status

  • http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php

Then this malware sends the user's keystrokes including its ip address to this URL:

  • http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php
Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2007-10-29_07.


Back to the Top



F-Secure Corporation

Last Modified: October 31, 2007