Keylogger.Stawin

Printer Friendly Page

Discovered: January 28, 2004
Updated: January 28, 2004 3:55:04 PM
Systems Affected: Windows

Keylogger.Stawin is a keylogging trojan that attempts to steal a user's online banking credentials.

Discovered: January 28, 2004
Updated: January 28, 2004 3:55:04 PM
Systems Affected: Windows

Keylogger.Stawin is a trojan that logs keystrokes entered into windows containing certain strings. This trojan was recently spammed in an email message with the following properties:
Subject: I still love you <random characters>

Message Body:
Error 551: We are sorry your UTF-8 encoding is not supported by the server,
so the text was automatically zipped and attached to this message.

Attachment: message.zip

When the trojan is executed, it creates the following files:
%Windir%\MESSAGE.EXE - trojan's executable
%Windir%\HOOKERDLL.DLL - keylogger

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"OLE" = %Windir%\MESSAGE.EXE

The trojan monitors windows with any of the following strings in the window titles:
Westpac
ANZ
Logon
Access
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bmo
BMO
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdcanadatrust
TD Canada Trust
TDCanadaTrust
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
bank
Bank
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet

It logs any keystrokes entered into these windows to the following file:
%Windir%\KGN.TXT

The keylog is periodically emailed to the remote attacker using. The message has the following properties:
From: govnodav2004@mail.ru
To: govnodav2004@mail.ru
Subject: Keylog from (<computer name>)
Body:
<window title>
------------------------ <logged data>

After the email is sent, the trojan deletes KGN.TXT.