1. /
  2. Security Response/
  3. Spyware.StealthKeylog

Spyware.StealthKeylog

Updated:
February 13, 2007 11:45:51 AM
Type:
Spyware
Publisher:
Amplusnet.com
Risk Impact:
Medium
File Names:
stealthkeylogger.exe ASK.dll ASK.exe SMTPSender.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Spyware.StealthKeylog is installed, it does the following:
  1. Creates the following files:

    • %Windir%\ASK\ASK.dll
    • %Windir%\ASK\ASK.exe
    • %Windir%\ASK\help\Help.htm
    • %Windir%\ASK\help\images\ASK[NUMBER].jpg (The spyware creates many files in this format.)
    • %Windir%\ASK\help\images\bk.bmp
    • %Windir%\ASK\help\images\Email[NUMBER].jpg (The spyware creates many files in this format.)
    • %Windir%\ASK\help\images\poza.bmp
    • %Windir%\ASK\help\images\style.css
    • %Windir%\ASK\help\Info.htm
    • %Windir%\ASK\Logs\AggregatedLog.xsl
    • %Windir%\ASK\Logs\AllDayApplications.xsl
    • %Windir%\ASK\Logs\AllDayClipboardMonitor.xsl
    • %Windir%\ASK\Logs\AllDayFileMonitor.xsl
    • %Windir%\ASK\Logs\AllDayKeyLogger.xsl
    • %Windir%\ASK\Logs\AllDayMessenger.xsl
    • %Windir%\ASK\Logs\AllDayPrinterMonitor.xsl
    • %Windir%\ASK\Logs\AllDayScreenShot.xsl
    • %Windir%\ASK\Logs\AllDayWeb.xsl
    • %Windir%\ASK\Logs\Applications.xsl
    • %Windir%\ASK\Logs\Applications_[DATE].xmm (The spyware creates many files in this format.)
    • %Windir%\ASK\Logs\bk.bmp
    • %Windir%\ASK\Logs\ClipboardMonitor.xsl
    • %Windir%\ASK\Logs\ClipboardMonitor_[DATE].xmm (The spyware creates many files in this ormat.)
    • %Windir%\ASK\Logs\Errors.txt
    • %Windir%\ASK\Logs\FileMonitor.xsl
    • %Windir%\ASK\Logs\FileMonitor_[DATE].xmm (The spyware creates many files in this format.)
    • %Windir%\ASK\Logs\GlobalLog.xsl
    • %Windir%\ASK\Logs\KeyLogger.xsl
    • %Windir%\ASK\Logs\KeyLogger_[DATE].xmm (The spyware creates many files in this format.)
    • %Windir%\ASK\Logs\Messenger.xsl
    • %Windir%\ASK\Logs\pict_[TIME,DATE].jpg (The spyware creates many files in this format.)
    • %Windir%\ASK\Logs\PrinterMonitor.xsl
    • %Windir%\ASK\Logs\ScreenShot.xsl
    • %Windir%\ASK\Logs\ScreenShot_[DATE].xmm (The spyware creates many files in this format.)
    • %Windir%\ASK\Logs\Web.xsl
    • %Windir%\ASK\ScrCap.exe
    • %Windir%\ASK\SMTPSender.exe
    • %Windir%\SKUninstaller.exe
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAggregatedLog.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysApplications.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysClipboardMonitor.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysFileMonitor.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysKeyLogger.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysMessenger.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysPrinterMonitor.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysScreenShot.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysAllDaySysWeb.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysApplications.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysApplications_[DATE].xmm
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysClipboardMonitor.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysErrors.txt
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysFileMonitor.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysFileMonitor_[DATE].xmm
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysGlobalLog.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysKeyLogger.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysKeyLogger_[DATE].xmm
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysMessenger.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\Syspict_[TIME,DATE].jpg
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysPrinterMonitor.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysScreenShot.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysScreenShot_[DATE].xmm
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SystemKeybk.bmp
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\SysWeb.xsl
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\Logs\TestEmail.xml
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SysScrCap.exe
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SysSMTPSender.exe
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SystemKey.dll
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SystemKey.exe
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyHelp.chm
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe
    • %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\xcacls.exe

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  2. Adds some of the values:

    "ASK" = "%System%\rundll32.exe %Windir%\ASK\ASK.dll rdl"
    "SystemKey" = "%System%\rundll32.exe %SystemDrive%\Documents and Settings\All Users\Application Data\SystemKey\SystemKey.dll rdl"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  3. Creates some of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\ASK
    HKEY_LOCAL_MACHINE\SOFTWARE\SystemKey


  4. Logs keystrokes and captures screenshots.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver