Discovered: January 28, 2004
Updated: January 28, 2004 3:55:04 PM
Systems Affected: Windows
Keylogger.Stawin is a keylogging trojan that attempts to steal a user's online banking credentials.
Keylogger.Stawin is a trojan that logs keystrokes entered into windows containing certain strings. This trojan was recently spammed in an email message with the following properties:
Subject: I still love you <random characters>
Error 551: We are sorry your UTF-8 encoding is not supported by the server,
so the text was automatically zipped and attached to this message.
When the trojan is executed, it creates the following files:
%Windir%\MESSAGE.EXE - trojan's executable
%Windir%\HOOKERDLL.DLL - keylogger
It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"OLE" = %Windir%\MESSAGE.EXE
The trojan monitors windows with any of the following strings in the window titles:
bank of montreal
Bank of Montreal
TD Canada Trust
It logs any keystrokes entered into these windows to the following file:
The keylog is periodically emailed to the remote attacker using. The message has the following properties:
Subject: Keylog from (<computer name>)
------------------------ <logged data>
After the email is sent, the trojan deletes KGN.TXT.