Virus:TR/Keylogger.avk
Date discovered:29/11/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:112.008 Bytes
MD5 checksum:a3e928635256073ca0e5b90388ee6efc
VDF version:7.00.01.23
IVDF version:7.00.01.24 - Thursday, November 29, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Generic Keylogger.g trojan
   •  Kaspersky: Trojan.Win32.VB.avk
   •  F-Secure: Trojan.Win32.VB.avk
   •  Panda: Trj/Keylogger.BN


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %PROGRAM FILES%\Common Files\winlogon.exe
   • %PROGRAM FILES%\Common Files\smss.exe
   • %PROGRAM FILES%\Common Files\fzx9823.exe
   • %PROGRAM FILES%\Common Files\12x34.edh



The following file is created:

– C:\s5d46a.fjg This is a non malicious text file with the following content:
   • %stolen information%

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Windows Log Agent="%PROGRAM FILES%\Common Files\winlogon.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\NOHIDDEN]
   New value:
   • CheckedValue=dword:00000002

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • CheckedValue=dword:00000002

– [HKCR\exefile]
   New value:
   • (Default)="Carpeta de Archivos" (Hidden)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • ShowSuperHidden=dword:00000000
     HideFileExt=dword:00000001
     SuperHidden=dword:00000001
     Hidden=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • CheckedValue=dword:00000001
     UncheckedValue=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\HideFileExt]
   New value:
   • CheckedValue=dword:00000001
     UncheckedValue=dword:00000001

 Backdoor Contact server:
The following:
   • http://www.e223pg.awardspace.co.uk/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Free disk space
    • Collected information described in stealing section

 Stealing It tries to steal the following information:

– It captures:
    • Keystrokes
    • Window information

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PePetite 2.2

Description inserted by Monica Ghitun on Thursday, November 29, 2007
Description updated by Monica Ghitun on Friday, November 30, 2007

Back . . . .