Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Repor.A
Date discovered:01/04/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:29.582 Bytes
MD5 checksum:10ef4838aa0496d818d82a8b12fa6425
VDF version:6.30.00.60

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Keylog-SClog
   •  Kaspersky: Trojan-Spy.Win32.SCKeyLog.o
   •  Grisoft: PSW.Sclog.D
   •  VirusBuster: Trojan.Gogel.A
   •  Bitdefender: Win32.Repor.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Steals information


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %SYSDIR%\csrs.exe



The following file is created:

%TEMPDIR%\ief%random character string%.tmp This is a non malicious text file with the following content:
   • %visited URL%

%TEMPDIR%\67-41 This is a non malicious text file with the following content:
   • %computer name%
     %current date%
     %current hour%
     %current ip address%
     %current username%
     %all running processes%
     %stolen information%

%SYSDIR%\srsc.dat This file contains collected information about the system.
%SYSDIR%\srsc.le This file contains collected information about the system.

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "csrs"="%SYSDIR%\csrs.exe"



The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   csrs]
   • "DllName"="csrs.dll"
   • "Asynchronous"=dword:00000000
   • "Impersonate"=dword:00000000
   • "Lock"="WLELock"
   • "Logoff"="WLELogoff"
   • "Logon"="WLELogon"
   • "Shutdown"="WLEShutdown"
   • "StartScreenSaver"="WLEStartScreenSaver"
   • "Startup"="WLEStartup"
   • "StopScreenSaver"="WLEStopScreenSaver"
   • "Unlock"="WLEUnlock"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


Email design:
From: tibianhackr28@yahoo.com <tibianhackr28@yahoo.com>
To: tibianhackr28@yahoo.com <tibianhackr28@yahoo.com>
Subject: Log report of computer %computer name% (%current username%)
Body:
   • SC-KeyLog log report
     
     See attached file(s)...
Attachments:
   • IE_Favorites.html(%TEMPDIR%\ief%random character string%.tmp)
   • LogFile.log(%TEMPDIR%\67-41)



The email may look like one of the following:


 Stealing It tries to steal the following information:

– It captures:
     Keystrokes
     Window information

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Iulia Diaconescu on Friday, March 17, 2006
Description updated by Andrei Gherman on Tuesday, March 21, 2006

Back . . . .