1. /
  2. Security Response/
  3. Spyware.AdvancedKey

Spyware.AdvancedKey

Updated:
February 13, 2007 11:38:00 AM
Type:
Spyware
Version:
1.7
Publisher:
Eltima Software
Risk Impact:
High
File Names:
advanced_keylogger.exe kmonitor.exe Setup.exe trace.exe svchost.exe TMLib.dll TMUtils.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.AdvancedKey is installed, the following actions are performed:
  1. Displays the End-User License Agreement.

  2. Prompts for the installation folder. The default installation folder is %Windir%\IDDE.

    Notes: %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.

  3. Creates following files and folders:

    • %Windir%\IDDE\kmonitor.exe: Main application for logging viewing and configuring. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\License.txt: License information.
    • %Windir%\IDDE\manual.chm: Help file.
    • %Windir%\IDDE\readme.txt: Documentation.
    • %Windir%\IDDE\register.bat: Used for registering the Spyware.
    • %Windir%\IDDE\Setup.exe: Used to place the files in the proper location and set up registries. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\setup.log: Log of the installation process.
    • %Windir%\IDDE\trace.exe: Used to trace screenshots. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\uninstall.bat: Used for uninstallation.
    • %Windir%\IDDE\Uninstall.exe: Generic uninstaller.
    • %Windir%\IDDE\wrk.log: Log of the installation process.
    • %Windir%\system\svchost.exe: Main logger. Detected as Spyware.AdvancedKey.
    • %System%\TMLib.dll: Used for saving logs and setting up the environment for logging. Detected as Spyware.AdvancedKey.
    • %System%\TMUtils.dll: Used for saving screenshots and tracing the screeshots. Detected as Spyware.AdvancedKey.
    • %Windir%\IDDE\CLPBR\: Directory that contains screenshots.
    • %Windir%\ddemal32.bin: Log file.
    • %Windir%\system\setup.log
    • %Windir%\system\MSIDLLSI.DAT

      Note: %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  4. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\IDDE
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DEE6806C-FB33-D04C-E1C6-8DA9B2204850}
    HKEY_LOCAL_MACHINE\SOFTWARE\Licenses


  5. Creates a service with the following attributes:

    Service name: svchost
    Display name: MS Software Generic Host Process for Win32 Services
    Path to executable: %Windir%\system\svchost.exe
    Startup type: Automatic

  6. Performs the following actions:

    • Logs keystrokes
    • Monitors the clipboard
    • Captures screenshots
    • Monitors Internet activity
    • Emails log files
    • Hides and unhides its Taskbar icon using the Ctrl+Alt+Del+R key combination


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver