||||
Symantec.com > Security Response > Threats and Risks > Spyware.WindowsKey
PRINT THIS PAGE

Spyware.WindowsKey

Printer Friendly Page

Updated: February 13, 2007 11:40:18 AM
Type: Spyware
Version: 5.03
Publisher: http://www.littlesister.de
Risk Impact: High
File Names: keylog5.exe,keylogger.exe,Krnlmod.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.WindowsKey is installed, the following actions are performed:
  1. Creates the following files:

    • %SystemDrive%\Programs\Keylogger5\file_id.diz - File information.
    • %SystemDrive%\Programs\Keylogger5\help.html - Help file.
    • %SystemDrive%\Programs\Keylogger5\order.html - Order form.
    • %SystemDrive%\Programs\Keylogger5\keylogger.exe - Main configurator/log viewer. Detected as Spyware.WindowsKey.
    • %SystemDrive%\Programs\Keylogger5\Krnlmod.exe - Main logger. Detected as Spyware.WindowsKey.
    • %SystemDrive%\Programs\Keylogger5\Ntpsapi.dll - Image library.
    • %SystemDrive%\Programs\Keylogger5\Watchdll.dll - Hooking library.
    • %SystemDrive%\Programs\Keylogger5\banner5.gif - Picture used in help file.
    • %SystemDrive%\Programs\Keylogger5\banner5_.gif - Picture used in help file.
    • %Userprofile%\Desktop\Windows Keylogger 5.lnk - Desktop link.
    • %SystemDrive%\Programs\Keylogger5\Log.txt - Log file.
    • %SystemDrive%\Programs\Keylogger5\data<number>.dat - Screenshot files.
    • %SystemDrive%\Programs\Keylogger5\$log$.html - HTML file created when viewing the log file.

      Notes:
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
    • %Userprofile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).

  2. Adds the value:

    "Krnlmod" = "%SystemDrive%\Programs\Keylogger5\Krnlmod.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that Spyware.WindowsKey runs when Windows starts.

  3. May delete the following registry value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Keylogger

  4. Creates the subkey:

    "Tray"

    in the registry key:

    HKEY_LOCAL_MACHINE\Software

    and adds values to the subkey depending on the configuration.

Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS