Threat Descriptions

Monitoring-Tool:W32/Perflogger

Classification

Category :

Riskware

Type :

Monitoring-Tool

Platform :

W32

Aliases :

-

Summary

A program that monitors and records all actions on a computer, including keystrokes entered.

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Monitoring-Tool:W32/Perflogger is a commercial monitoring program that can be purchased and downloaded onto a system from the company's webiste.

As with other monitoring tools, Perflooger can monitor various user activities such as keystrokes typed, chat messages logged, web browser activity and even screenshots of the active Windows desktop. It can also be configured to run in stealth mode and hide its view in the Task Manager and System Tray.

The information monitored is stored in a log file, which can be forwarded to an external party via e-mail, or uploaded to an FTP server in either encrypted or HTML format. When in encrypted format, the log file is only viewable using the built-in Log Viewer.&

Installation

The default installation folder for this program is:

  • C:\Program Files\BPK

The installation location is configurable.

When installed a user's configurable installation folder, common file names used are:

  • bpk.chm
  • downloads.url
  • inst.bin
  • install.log
  • license.txt
  • order.url
  • bpk.exe
  • bpkhk.dll
  • bpki.dll
  • bpkr.exe
  • bpkun.exe
  • bpkvw.exe
  • bpkwb.dll

During the installation process, Perflogger allows the user to hide the presence of its main component files by inputting a keyword that renames the files.

Registry

Peflogger creates the following common registry keys:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"bpk"="{installation_folder}\bpk.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Keylogger]"DisplayName"="BlazingTools Perfect Keylogger" "UninstallString"="{instllation_folder}\bpkun.exe"
  • [HKEY_CLASSES_ROOT\PK.IE]
  • [HKEY_CLASSES_ROOT\PK.IE.1]
  • [HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
  • [HKEY_CLASSES_ROOT\Inteface\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
  • [HKEY_CLASSES_ROOT\TypeLib\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PK.IE]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]