F-Secure
Tools
Trojan-Spy:W32/KeyLogger.RM
| Name : | Trojan-Spy:W32/KeyLogger.RM |
| Category: | Malware |
| Type: | Trojan-Spy |
| Platform: | W32 |
| Date of Discovery: | October 28, 2007 |
Summary
This is a key-logging trojan that logs all the keystrokes of the user and sends them to a particular website.
Additional Details
This malware may arrive as an attachment labeled as a Microsoft Word RTF file.
Upon Execution, this malware displays the following fake error message:
It then drops the following files on Windows System folder:
Note: %systemdir% by default is C:\Windows\system32
It also creates the following registry key as part of its auto-start mechanism:
Initially, it will try to contact this URL to set the infected machine's status
Then this malware sends the user's keystrokes including its ip address to this URL:
Upon Execution, this malware displays the following fake error message:
It then drops the following files on Windows System folder:
• %systemdir%\GenuineLicence.exe
Detected as Trojan-Spy.Win32.KeyLogger.rk
Detected as Trojan-Spy.Win32.KeyLogger.rk
• %systemdir%\kbd.dll
Detected as Trojan-Spy.Win32.KeyLogger.rk
Detected as Trojan-Spy.Win32.KeyLogger.rk
• %systemdir%\test.dll
Detected as Trojan-Spy.Win32.KeyLogger.rl
Detected as Trojan-Spy.Win32.KeyLogger.rl
Note: %systemdir% by default is C:\Windows\system32
It also creates the following registry key as part of its auto-start mechanism:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
service = "C:\WINDOWS\system32\GenuineLicence.exe"
service = "C:\WINDOWS\system32\GenuineLicence.exe"
Initially, it will try to contact this URL to set the infected machine's status
• http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php
Then this malware sends the user's keystrokes including its ip address to this URL:
• http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2007-10-29_07.