Updated: February 13, 2007 11:38:36 AM
Type: Spyware
Version: 2.0
Publisher: Idigital Technologies
Risk Impact: High
File Names: keyserv.exe,skey.exe,Srvcks.exe,startkey.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Spyware.KeyThief can do the following:
- Log keystrokes
- Take screenshots
- Send logs by email
- Run in hidden mode
- Be unhidden by holding the keys Ctrl+Alt+K
When Spyware.KeyThief is installed, it does the following:
- Displays the license agreement.
- Installs the program to %ProgramFiles%\Idigital Technologies\Key Serv 2.0.
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Can put a link into the program's uninstaller in the Add/Remove Programs applet.
- Creates the following files/folders:
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\help.htm: Help information.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\ikeyhk2.dll: Generic key hooking library.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\startkey.exe: Used to start the Spyware. Detected as Spyware.KeyThief.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\skey.exe: Used for screenshot capturing. Detected as Spyware.KeyThief.
- %System%\msvbvm60.dll: Microsoft Visual Basic Virtual Machine.
- %System%\nslock15vb6.ocx: ActiveLock.
- %Windir%\keythf2.ini: Configuration settings.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\Srvcks.exe: Main logger and configurator. Detected as Spyware.KeyThief.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\readme.txt: Documentation.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\web.ico: Icon used by Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\help.ico: Icon used by Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\Idigital Technologies.url: URL to the company that made the Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\keytheif.ico: Icon used by Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\reg.ico: Icon used by Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\remove.exe: Generic uninstaller.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\Register.url: URL to register the Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\text.ico: Icon used by Spyware.
- %ProgramFiles%\Idigital Technologies\Key Serv 2.0\Unwise.exe: Generic uninstaller.
- C:\Documents and Settings\Administrator\Start Menu\Programs\Idigital Technologies\Key Thief 2.0 Key Serv\Key Thief Help.lnk: Start menu link.
- C:\Documents and Settings\Administrator\Start Menu\Programs\Idigital Technologies\Key Thief 2.0 Key Serv\Key Thief Read Me.lnk: Start menu link.
- C:\Documents and Settings\Administrator\Start Menu\Programs\Idigital Technologies\Key Thief 2.0 Key Serv\Idigital Technologies Web Site.lnk: Start menu link.
- C:\Documents and Settings\Administrator\Start Menu\Programs\Idigital Technologies\Key Thief 2.0 Key Serv\Key Thief 2.0 Key Serv.lnk: Start menu link.
- C:\Documents and Settings\Administrator\Start Menu\Programs\Idigital Technologies\Key Thief 2.0 Key Serv\Register Key Thief Online.lnk: Start menu link.
- %Windir%\KeyLogs\: Log directory.
- Adds the value:
"srvcks" = "C:\PROGRA~1\IDIGIT~1\KEYSER~1.0\startkey.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Spyware runs when you start Windows.
- Creates the following registry keys/values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Key Serv\"DisplayName" = "Key Serv 2.0"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Key Serv\"UninstallString" = "C:\PROGRA~1\IDIGIT~1\KEYSER~1.0\UNWISE.EXE C:\PROGRA~1\IDIGIT~1\KEYSER~1.0\INSTALL.LOG"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Key Serv\"DisplayIcon" = "C:\PROGRA~1\IDIGIT~1\KEYSER~1.0\srvcks.exe,-0"
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
