Home / malware Trojan-Spy:W32/KeyLogger.RM
First posted on 02 November 2007.
Source: SecurityHomeAliases :
Trojan-Spy:W32/KeyLogger.RM is also known as Trojan-Spy.Win32.KeyLogger.rl, Trojan-Spy.Win32.KeyLogger.rm, Trojan-Spy.Win32.KeyLogger.rk.
Explanation :
This is a key-logging trojan that logs all the keystrokes of the user and sends them to a particular website.
Upon Execution, this malware displays the following fake error message:
It then drops the following files on Windows System folder:
- %systemdir%GenuineLicence.exe
Detected as Trojan-Spy.Win32.KeyLogger.rk - %systemdir%kbd.dll
Detected as Trojan-Spy.Win32.KeyLogger.rk - %systemdir% est.dll
Detected as Trojan-Spy.Win32.KeyLogger.rl
Note: %systemdir% by default is C:Windowssystem32
It also creates the following registry key as part of its auto-start mechanism:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
service = "C:WINDOWSsystem32GenuineLicence.exe"
Initially, it will try to contact this URL to set the infected machine's status
- http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php
Then this malware sends the user's keystrokes including its ip address to this URL:
- http://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/[REMOVED].php
Last update 02 November 2007