Home / malware

PDF

Trojan:WinNT/Gekey.A!rootkit

First posted on 02 September 2010.
Source: SecurityHome

Aliases :

Trojan:WinNT/Gekey.A!rootkit is also known as Dropper/Malware.53248.BQ (AhnLab), Trojan-Dropper.Win32.Agent.cbdb (Kaspersky), W32/Rootkit.AIWH.dropper (Norman), Trojan.DR.Agent.VZCP (VirusBuster), Trojan horse Rootkit-Agent.BN (AVG), TR/Crypt.XPACK.Gen (Avira), Dropped:Rootkit.Agent.AJBR (BitDefender), Dropper.Win32.Minit.w (Rising AV), Trojan.Win32.Generic!BT (Sunbelt Software).

Explanation :

Trojan:WinNT/Gekey.A!rootkit is the detection for the multi-partite malware that consists of the dropper, password stealing and rootkit trojan. It logs keystrokes and other user credentials, and sends this information to a remote attacker. Its malicious activity is hidden to the affected user.
Top

Trojan:WinNT/Gekey.A!rootkit is the detection for the multi-partite malware that consists of the dropper, password stealing and rootkit trojan. It logs keystrokes and other user credentials, and sends this information to a remote attacker. Its malicious activity is hidden to the affected user. The dropper component does the following:

Extracts and saves the password stealing and rootkit driver as %TEMP%\getkey.sys (also detected as Trojan:WinNT/Gekey.A!rootkit).

Initiates / stops the logging of keystrokes by communicating to the driver file %TEMP%\getkey.sys.

Note: %TEMP%\getkey.sys driver file is hidden to the user level applications. Payload Log keystrokes and steals credentials The malware logs keystrokes from applications and saves the details to temporary file %TEMP%\qimawy.txt. The logged information may include, but is not limited to IP address, computer name, CPU information, usernames and password from various applications. After this information has been recorded, the log file is sent to the remote attacker via HTTP.

Analysis by Rodel Finones

Last update 02 September 2010

 

TOP