1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Spy:W32/KeyLogger.RM

Name : Trojan-Spy:W32/KeyLogger.RM
Category:Malware
Type:Trojan-Spy
Platform:W32
Date of Discovery:October 28, 2007

Summary

This is a key-logging trojan that logs all the keystrokes of the user and sends them to a particular website.

Additional Details

This malware may arrive as an attachment labeled as a Microsoft Word RTF file.

Upon Execution, this malware displays the following fake error message:



It then drops the following files on Windows System folder:

  • %systemdir%\GenuineLicence.exe
Detected as Trojan-Spy.Win32.KeyLogger.rk
  • %systemdir%\kbd.dll
Detected as Trojan-Spy.Win32.KeyLogger.rk
  • %systemdir%\test.dll
Detected as Trojan-Spy.Win32.KeyLogger.rl

Note: %systemdir% by default is C:\Windows\system32

It also creates the following registry key as part of its auto-start mechanism:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
service = "C:\WINDOWS\system32\GenuineLicence.exe"

Initially, it will try to contact this URL to set the infected machine's status

  • http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php

Then this malware sends the user's keystrokes including its ip address to this URL:

  • http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2007-10-29_07.