1. /
  2. Security Response/
  3. Spyware.SysKeylog

Spyware.SysKeylog

Updated:
June 6, 2006 11:12:55 AM
Type:
Spyware
Risk Impact:
High
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Spyware.SysKeylog is a spyware program that logs keystrokes and captures screenshots. It can also email the logged information to a predefined address.

Once installed, it creates and executes the following files:
c:\Archivos de Programa\Sys_Kl\Sys_Kl.exe
c:\temp_kl\Sys_Kl.exe

The risk also creates the following clean files:
c:\Archivos de Programa\Sys_Kl\ACES
c:\Archivos de Programa\Sys_Kl\AGEG
c:\Archivos de Programa\Sys_Kl\DIJPG.DLL
c:\Archivos de Programa\Sys_Kl\logmail.chm
c:\Archivos de Programa\Sys_Kl\sys_keylog.chm
c:\Archivos de Programa\Sys_Kl\Sys_Kl_UNINSTALL.EXE
c:\Archivos de Programa\Sys_Kl\wel.sys
%UserProfile%\Desktop\Sys_Kl.exe.lnk
c:\temp_kl\COMCTL32.OCX
c:\temp_kl\DIjpg.dll
c:\temp_kl\INSTALAR.EXE
c:\temp_kl\JMAIL.DLL
c:\temp_kl\logmail.chm
c:\temp_kl\MSSTDFMT.DLL
c:\temp_kl\MSVBVM60.DLL
c:\temp_kl\sys_keylog.chm
c:\temp_kl\Sys_kl_uninstall.exe
c:\temp_kl\Sys_kl_uninstall2.exe
%Windir%\Sys_Kl_UNINSTALL2.EXE
%Windir%\Prefetch\1.EXE-0DEC10A9.pf
%Windir%\Prefetch\HH.EXE-2D1A70B3.pf
%Windir%\Prefetch\INSTALAR.EXE-0F095E2E.pf
%Windir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf
%Windir%\Prefetch\SYS_KL.EXE-056BF30C.pf
%Windir%\system\msstdfmt.dll
%System%\CK12
%System%\CLAK12
%System%\CSYS
%System%\JMAIL.DLL
%System%\KLKL
%System%\SYSMS.LG

The risk then creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Sys_Kl" = "C:\Archivos de Programa\Sys_Kl\sys_kl.exe 1"

The risk creates the following registry subkeys:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\cinia13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sys_Kl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\RSYSG13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SYSKL13
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\vwink13

The risk also creates the following registry subkeys, those subkeys are used by clean modules:
HKEY_CLASSES_ROOT\CLSID\{0D821067-FCF9-4704-9287-0D8F76FE6513}
HKEY_CLASSES_ROOT\CLSID\{53DECA78-C334-4235-9165-1FE7D8912A76}
HKEY_CLASSES_ROOT\CLSID\{90D0A753-AD45-40FD-8C6E-555600EE5EB4}
HKEY_CLASSES_ROOT\CLSID\{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}
HKEY_CLASSES_ROOT\CLSID\{AED3A6B3-2171-11D2-B77C-0008C73ACA8F}
HKEY_CLASSES_ROOT\CLSID\{B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}
HKEY_CLASSES_ROOT\CLSID\{B1CC9084-0177-4136-9B1B-C06C061F1E1D}
HKEY_CLASSES_ROOT\CLSID\{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}
HKEY_CLASSES_ROOT\CLSID\{DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}
HKEY_CLASSES_ROOT\CLSID\{E5FF9F62-0E7C-4372-8AD5-DA7D2418070C}
HKEY_CLASSES_ROOT\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C}
HKEY_CLASSES_ROOT\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}
HKEY_CLASSES_ROOT\Interface\{14E61A41-8846-11D2-B7E4-0008C73ACA8F}
HKEY_CLASSES_ROOT\Interface\{1E6D8684-755D-4847-BF40-68EC5E4BC1E9}
HKEY_CLASSES_ROOT\Interface\{23E86816-772B-4B28-A924-A135CFF6469A}
HKEY_CLASSES_ROOT\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E}
HKEY_CLASSES_ROOT\Interface\{56930358-AD72-408F-83C4-A2B0DC8037B2}
HKEY_CLASSES_ROOT\Interface\{607A06FE-2FDA-4ADC-854D-D016D98D83DB}
HKEY_CLASSES_ROOT\Interface\{65C53BE7-ED21-4C25-B189-DA0E8FAD5231}
HKEY_CLASSES_ROOT\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076}
HKEY_CLASSES_ROOT\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}
HKEY_CLASSES_ROOT\Interface\{952F0B99-50B6-44B3-AE0D-700D5B98B416}
HKEY_CLASSES_ROOT\Interface\{AED3A6B1-2171-11D2-B77C-0008C73ACA8F}
HKEY_CLASSES_ROOT\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}
HKEY_CLASSES_ROOT\Interface\{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}
HKEY_CLASSES_ROOT\jmail.Attachment
HKEY_CLASSES_ROOT\jmail.Attachments
HKEY_CLASSES_ROOT\jmail.Headers
HKEY_CLASSES_ROOT\jmail.MailMerge
HKEY_CLASSES_ROOT\jmail.Message
HKEY_CLASSES_ROOT\jmail.Messages
HKEY_CLASSES_ROOT\jmail.POP3
HKEY_CLASSES_ROOT\jmail.Recipient
HKEY_CLASSES_ROOT\jmail.Recipients
HKEY_CLASSES_ROOT\jmail.SMTPMail
HKEY_CLASSES_ROOT\jmail.SpeedMailer
HKEY_CLASSES_ROOT\TypeLib\{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}

The risk then logs keystrokes and captures screenshots.
Writeup By: Kaoru Hayashi
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver