Spyware.KeySpyware

Printer Friendly Page

Updated: March 23, 2006 5:21:43 PM
Type: Spyware
Risk Impact: Low
Systems Affected: Windows

Behavior

Spyware.KeySpyware is a spyware program that logs keystrokes and monitors user activity on the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version May 07, 2019 revision 006
  • Initial Daily Certified version March 23, 2006
  • Latest Daily Certified version May 07, 2019 revision 008
  • Initial Weekly Certified release date March 29, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


Technical Description


Spyware.KeySpyware is a spyware program that logs keystrokes and monitors user activity on the compromised computer.

Once the risk is installed, it creates the following files:
C:\Program Files\Key Spyware\help.htm
C:\Program Files\Key Spyware\HOMEPAGE.HTM
C:\Program Files\Key Spyware\Readme.txt
C:\Program Files\Key Spyware\screen1.gif
C:\Program Files\Key Spyware\uninstall.exe
C:\Program Files\Key Spyware\pc[NUMBER].jpg
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\emaillog.txt
C:\WINDOWS\ftplog.txt
C:\WINDOWS\k183swneformat.dll
C:\WINDOWS\k183swneformat.ocx
C:\WINDOWS\SYSTEM\ksepyy.zhy
C:\WINDOWS\SYSTEM\mskbdr.dll
%UserProfile%\Start Menu\Programs\Key Spyware\Key Spyware Help.lnk
%UserProfile%\Start Menu\Programs\Key Spyware\Key Spyware Readme.lnk
%UserProfile%\Start Menu\Programs\Key Spyware\Key Spyware.lnk
%UserProfile%\Start Menu\Programs\Key Spyware\Uninstall.lnk

The risk then creates the following folders:
C:\Program Files\Key Spyware
%UserProfile%\Start Menu\Programs\Key Spyware

Next, the risk creates the following registry entries,so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\XTZY\KeySpy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeySpy

The risk then logs keystrokes and monitors user activity on the compromised computer.