Home / malwarePDF  

TrojanSpy:Win32/Keylogger.X


First posted on 27 November 2010.
Source: SecurityHome

Aliases :

There are no other names known for TrojanSpy:Win32/Keylogger.X.

Explanation :

TrojanSpy:Win32/Keylogger.X is a trojan key logger that captures keystrokes and sends the captured data to remote servers. This trojan may have been installed by Worm:Win32/Soglueda.A.
Top

TrojanSpy:Win32/Keylogger.X is a trojan key logger that captures keystrokes and sends the captured data to remote servers. InstallationThis trojan may have been installed by Worm:Win32/Soglueda.A. When executed, Worm:Win32/Soglueda.A creates the following files on an affected computer:

  • <system folder>\winm.dll
    • Worm:Win32/Soglueda.A utilizes code injection in order to hinder detection and removal of the trojan code. When the worm executes, it injects the trojan code "winm.dll" into running processes, including the following, for example:
  • cmd.exe
  • csrss.exe
  • explorer.exe
  • winlogon.exe
    • Payload Records keystrokesThe trojan key logger records keystrokes and window titles and reports them to a remote host. We have observed the trojan to contact the following remote hosts to send captured data using port 80:
  • bi.aznaryespinosa.com.ar
  • bits.aznaryespinosa.com.ar
  • f.aznaryespinosa.com.ar
  • nico.aznaryespinosa.com.ar
  • servers.aznaryespinosa.com.ar
  • muler.agusting.com.ar
  • winupdate32.sytes.net
  • 174.36.209.138
    • Changes Windows settings The worm modifies the registry to change the default icon for files of type ".EXE" to appear as a text or document file as in the following example: In subkey: HKLM\SOFTWARE\Classes\.exeSets value: "(default)"With data: "exefile " In subkey: HKLM\SOFTWARE\Classes\exefileSets value: "(default)"With data: "aplicación" In subkey: HKLM\SOFTWARE\Classes\exefile \DefaultIconSets value: "(default)"With data: "shell32.dll,2" Disables programs from runningWorm:Win32/Soglueda.A deletes registry data that would execute device drivers and services at Windows start. In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "(default)"With data: " " In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "(default)"With data: " "

    Analysis by Vincent Tiu

    Last update 27 November 2010

     

    TOP

    Malware :

    Family: