||||
Symantec.com > Security Response > Threats and Risks > Spyware.EliteKeylogger
PRINT THIS PAGE

Spyware.EliteKeylogger

Printer Friendly Page

Updated: February 13, 2007 11:45:44 AM
Type: Spyware
Version: 2.1
Publisher: WideStep
Risk Impact: High
File Names: ek_setup.exe windump.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Spyware.EliteKeylogger is installed, it does the following:

  1. Creates the following files:

    • %ProgramFiles%\WideStep Software\Elite KeyLogger\Logs view.exe
    • %ProgramFiles%\WideStep Software\Elite KeyLogger\Uninstall.exe
    • %ProgramFiles%\WideStep Software\Elite KeyLogger\mciole.dll
    • %UserProfile%\Start Menu\Programs\WideStep Elite KeyLogger 2.6\Uninstall.lnk
    • %UserProfile%\Start Menu\Programs\WideStep Elite KeyLogger 2.6\View logs.lnk
    • %Windir%\Help\ek_manual.chm
    • %UserProfile%\Desktop\ek_setup.exe
    • %System%\drivers\extfs.sys
    • %System%\drivers\tdiip.sys
    • %System%\drivers\usbkbd.sys
    • %System%\mciole.dll
    • %System%\windump.exe


      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry sytbkeys:

    HKEY_CLASSES_ROOT\CLSID\{333BD105-16D3-4169-B3C3-5090A69D691F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A252B94-2FCD-BBF8-8ADD-AA019F83938E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
    HKEY_LOCAL_MACHINE\SOFTWARE\WideStep\EliteKeyLogger
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\extfs
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdiip
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbkbd

  3. Adds the following values:

    "{R7C0DB872A3F777C0}" = "[HEX VALUES]"
    "{K7C0DB872A3F777C0}" = "[HEX VALUES]"
    "{I83E450369831F6EF}" = "[HEX VALUES]"
    "{083E450369831F6EF}" =     "[HEX VALUES]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

  4. Adds the values:

    "PNP_TDI" = "[HEX VALUES]"
    "Filter" = "[HEX VALUES]"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList

  5. Logs key strokes and catures screenshots.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS