Virus:TR/Klog.Blue.A
Date discovered:28/10/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:24.520 Bytes
MD5 checksum:71a0e9a6f7290f9e68bc8d8218869929
VDF version:6.32.00.121

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Bitdefender: Trojan.Keylogger.Blue.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Records keystrokes
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\zprot32.exe



The following files are created:

– C:\beta.htm
– C:\system.1st This file contains collected keystrokes.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "SystemSecurity"="zprot32.exe"

 Backdoor Contact server:
The following:
   • http://**********.net/0000/1111-2222/3333-4444/5555-6666/7777-8888/9999-AAAA/BBBB.php

This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Cached passwords
    • Collected Email addresses
    • Created logfiles

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • OutlookExpress
   • MSN messenger
   • WebMoney

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Irina Boldea on Friday, October 28, 2005
Description updated by Irina Boldea on Friday, October 28, 2005

Back . . . .