Home / malware TrojanSpy:Win32/Wetoxy
First posted on 02 April 2012.
Source: MicrosoftAliases :
TrojanSpy:Win32/Wetoxy is also known as Trojan-Spy.Win32.Agent.bute (Kaspersky), TrojanSpy.Agent!2YrA3lkdmy4 (VirusBuster), Trojan horse PSW.Agent.AQSU (AVG), TR/Agent.12800.81 (Avira), Trojan.PWS.Stealer.741 (Dr.Web).
Explanation :
TrojanSpy:Win32/Wetoxy is a family of trojans that logs keystrokes on the affected user's computer.
Top
TrojanSpy:Win32/Wetoxy is a family of trojans that logs keystrokes on the affected user's computer.
Installation
In the wild, we have observed some variants of this malware injecting code into specific system processes; it may to facilitate keylogging. Code may be injected into the following application:
<system folder> \svchost.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
After installing a Window Object, the malware may create the following log files where it may record all the stolen keystrokes:
- %temp%\kb92437-ky7.log
- %USERPROFILE%\documents.log
- %ProgramFiles%\NetMeeting\ke<user_name>bodlog.dll
- %TEMP%\Kebodlog.dll
The malware makes the following changes to the registry to ensure its executions at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Event Notify"
With data: %Current file name%
Payload
Logs keystrokes
The malware identifies the current active window that the affected user is using, and steals information and keystrokes from this window.
The malware may create the following hidden windows that can be used for its key-logging activity:
- "Messenger"
- "KeyboardJoy"
Analysis by Patrick Estavillo
Last update 02 April 2012