||||
Symantec.com > Business > Security Response > Spyware.FreeKeylogger
PRINT THIS PAGE

Spyware.FreeKeylogger

Printer Friendly Page

Updated: April 11, 2007 4:10:06 PM
Type: Spyware
Risk Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the program is executed, it creates the following files:
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\ini2.4.0.imf
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\iniex2.4.0.imf
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\iniexx2.4.0.imf
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\iniexxx2.4.0.imf
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\inix42.4.0.imf
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\inixxx2.4.0.imf
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\Key_2007_04_10.imh
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\data\Key_2007_04_10_16-02-58196918.kh
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\license.txt
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\wt.htm
  • %Windir%\pcmn148.INI
  • %UserProfile%\Desktop\FreeKeylogger.Net 240.lnk
  • %UserProfile%\Start Menu\Programs\FreeKeylogger.Net 2.4.0\FreeKeylogger.Net 240.lnk
  • %UserProfile%\Start Menu\Programs\FreeKeylogger.Net 2.4.0\Uninstall.lnk
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\kh148.dll
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\PCFreeKey148.exe
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\pcmn148.exe
  • %ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeylogger.Net 2.4.0\uninst.exe

The program then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"pcmn891.exe" = "%ProgramFiles%\PCS-[RANDOM NUMBER]\FreeKeyLogger.Net 2.4.0\pcmn891.exe"

Next, the program creates the following registry subkeys:
HKEY_ALL_USERS\Software\PCS-240
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\$ext_client_exe}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeKeylogger.Net 2.4.0
HKEY_LOCAL_MACHINE\SOFTWARE\PCS-240

The program then records keystrokes and other sensitive information. It then stores the gathered information so that it can be accessed by a remote user.
Search by name
Example: W32.Beagle.AG@mm
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS