Home / malwarePDF  

MonitoringTool:MSIL/TBKeylogger


First posted on 28 October 2014.
Source: Microsoft

Aliases :

There are no other names known for MonitoringTool:MSIL/TBKeylogger.

Explanation :

Threat behavior

The tool creates a registry entry in so that it runs each time you start your PC:

In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: The Best Keylogger
With data:

It can install the following files into the folder %ProgramData%\SysApp:

  • Janus.Data.v3.dll
  • Janus.Windows.ButtonBar.v3.dll
  • Janus.Windows.Common.v3.dll
  • Janus.Windows.GridEX.v3.dll
  • NDde.dll
  • SysAppInstaller.exe
  • SysAppInstaller.exe.config
  • SysDir.exe
  • SysDir.exe.config
  • SysDir.InstallState
  • TheBestLicence.rtf


The tool can run in a hidden mode - this means you won't see that it's running.

It can capture what you are doing on your PC. In particular, it can:

  • Take screenshots when you click the mouse
  • Log and record what you print
  • Intercept and keep a record of communications in chat rooms and instant messengers
  • Log and record what you type on your keyboard, such as usernames and passwords
  • Make automatic backups of files that you create, rename, or delete


It can send this information to an email address or over an FTP connection that is specified when the tool is installed.



Analysis by Mihai Calota

Symptoms

The following could indicate that you have this program on your PC:

  • You have these files in the folder %ProgramData%\SysApp:

    • Janus.Data.v3.dll
    • Janus.Windows.ButtonBar.v3.dll
    • Janus.Windows.Common.v3.dll
    • Janus.Windows.GridEX.v3.dll
    • NDde.dll
    • SysAppInstaller.exe
    • SysAppInstaller.exe.config
    • SysDir.exe
    • SysDir.exe.config
    • SysDir.InstallState
    • TheBestLicence.rtf

Last update 28 October 2014

 

TOP