This program can be downloaded from www.ematrixsoft.com.
When the risk is executed, it creates the following files:
- %System%\adsnwk.exe
- %System%\keylappini.ini
- %System%\mscomct2.ocx
- %System%\TABCTL32.OCX
- %System%\MSCHRT20.OCX
- %System%\mxpvct22.dat
- %System%\mxpvct25.dat
- %UserProfile%\Local Settings\Temp\MSIda[RANDOM NUMBERS].LOG
- %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS].tmp
- %ProgramFiles%\KEYCS\data\dpnsvrk.exe
- %ProgramFiles%\KEYCS\data\emxfile005.dat
- %ProgramFiles%\KEYCS\data\keylusr.ini
- %ProgramFiles%\KEYCS\data\ps_demo_report.html
- %ProgramFiles%\KEYCS\data\testftpok.html
- %ProgramFiles%\KEYCS\data\vssvck.exe
- %ProgramFiles%\KEYCS\help.chm
- %ProgramFiles%\KEYCS\License.txt
- %ProgramFiles%\KEYCS\readme.txt
- %ProgramFiles%\KEYCS\unins000.dat
- %ProgramFiles%\KEYCS\unins000.exe
- %ProgramFiles%\KEYCS\winkeyl.exe
- %Windir%\Installer\[RANDOM NUMBERS].mst
Next, it creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"adsnwk" = "%System%\adsnwk.exe"
The program also creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\system32\comdlg32.OCX" = "2"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\system32\MSCOMCTL.OCX" = "2"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\system32\mscomct2.OCX" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\system32\msvbvm60.dll" = "2"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\system32\mxpvct22.dat" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"C:\WINDOWS\system32\mxpvct25.dat" = "1"
It then creates the following registry subkeys:
- HKEY_CLASSES_ROOT\Chilkat.Email2.1
- HKEY_CLASSES_ROOT\Chilkat.Email2
- HKEY_CLASSES_ROOT\Chilkat.EmailBundle2.1
- HKEY_CLASSES_ROOT\Chilkat.EmailBundle2
- HKEY_CLASSES_ROOT\Chilkat.MailMan2.1
- HKEY_CLASSES_ROOT\Chilkat.MailMan2
- HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatEmail2.1
- HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatEmail2
- HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatEmailBundle2.1
- HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatEmailBundle2
- HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatMailMan2.1
- HKEY_CLASSES_ROOT\ChilkatMail2.ChilkatMailMan2
- HKEY_CLASSES_ROOT\Interface\{06544919-F559-4AE5-9001-F903BD8A84E6}
- HKEY_CLASSES_ROOT\Interface\{51A0888C-9970-44DE-8C2C-835BA870D06F}
- HKEY_CLASSES_ROOT\Interface\{5ACAE4B8-62D9-4124-A58A-9B1258B77E99}
- HKEY_CLASSES_ROOT\Interface\{7D37DED8-1945-4E42-A3FD-B9620E0AD8E3}
- HKEY_CLASSES_ROOT\Interface\{C4C23B78-DB98-444C-B601-DCAC6EBBEC54}
- HKEY_CLASSES_ROOT\Interface\{CCB7FB40-99EC-4678-9202-52798DA78ABA}
- HKEY_CLASSES_ROOT\Interface\{D12FB216-99DA-4EB3-9CC0-C0F760B174A0}
- HKEY_CLASSES_ROOT\Interface\{D56C1AF1-3FDE-471C-9BC2-C52515F260C1}
- HKEY_CLASSES_ROOT\Interface\{E656B867-992C-4462-A27D-EBE604EC3A48}
- HKEY_CLASSES_ROOT\TypeLib\{1DF3AFED-99E0-4474-9900-954B8FD24E86}
- HKEY_CLASSES_ROOT\CLSID\{A4643A87-99A0-4404-9BC5-2322BDD61637}
- HKEY_CLASSES_ROOT\CLSID\{A46E5261-9956-4767-88CA-DFCED050D09E}
- HKEY_CLASSES_ROOT\CLSID\{A7EC2CD3-9941-4FD4-9D01-105DC16A4313}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KSM_is1
The risk may then record keystrokes made on the computer.
Logs and reports may be sent to a predefined location.
