Keylogger.Cone.Trojan

Printer Friendly Page

Discovered: July 09, 2003
Updated: May 03, 2018 1:48:32 PM
Systems Affected: Windows

Keylogger.Cone.Trojan is a trojan program that logs keystrokes and periodically transmits captured data to a remote attacker via email or ftp.

Antivirus Protection Dates

  • Initial Rapid Release version July 09, 2003
  • Latest Rapid Release version January 12, 2017 revision 025
  • Initial Daily Certified version July 09, 2003
  • Latest Daily Certified version January 13, 2017 revision 001
  • Initial Weekly Certified release date July 09, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: July 09, 2003
Updated: May 03, 2018 1:48:32 PM
Systems Affected: Windows

Keylogger.Cone.Trojan is a trojan program that logs keystrokes and periodically transmits captured data to a remote attacker via email or ftp.

When the trojan is executed, it to presents the following message to the victim:

Title: xxxx Extranal Safety Evaluation Program
Message:
Evaluation sucessfully completed
Thank you for your cooperation
Report will follow soon.

Next Keylogger.Cone.Trojan will create the following files:
%System%\bpk.bin
%System%\rinst.dat
%System%\Win Host Process.exe
%System%\Win Host Processhk.dll
%System%\WIN HOST PROCESSr.exe
%System%\Win Host Processwb.dll

The trojan will create the following registry value to ensure that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WIN HOST PROCESS"="%system%\WIN HOST PROCESS.EXE"

Next the 'Win Host Preocsswb.dll' library is registered as an IE browser helper object via the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}

HKEY_LOCAL_MACHINE\CLASSES\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}

HKEY_LOCAL_MACHINE\CLASSES\Interface\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}

HKEY_LOCAL_MACHINE\CLASSES\TypeLib\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}

HKEY_LOCAL_MACHINE\CLASSES\PK.IE.1

HKEY_LOCAL_MACHINE\CLASSES\PK.IE

The trojan will then proceed to log keystrokes and mouse movements.

Finally every four-hour interval, the trojan will deliver the collected data to geo@swissops.com, using smtp.swissops.com SMTP server.