1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Elite KeyLogger Activity

System Infected: Elite KeyLogger Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Spyware.SuperKeylogger communicating and requesting information from its controlling server.

Additional Information

When Spyware.SuperKeylogger is executed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Desktop\SuperKeylogger.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Sklgr30\SuperKeylogger.lnk
* %ProgramFiles%\Sklgr30\1\aslee.log
* %ProgramFiles%\Sklgr30\appLog1.log
* %ProgramFiles%\Sklgr30\appLog2.log
* %ProgramFiles%\Sklgr30\Aslee.dll
* %ProgramFiles%\Sklgr30\config.dll
* %ProgramFiles%\Sklgr30\Mainapppath.sys
* %ProgramFiles%\Sklgr30\ms.dll
* %ProgramFiles%\Sklgr30\Naslee.dll
* %ProgramFiles%\Sklgr30\PCService.exe
* %ProgramFiles%\Sklgr30\SChal.exe
* %ProgramFiles%\Sklgr30\ServiceName.ini
* %ProgramFiles%\Sklgr30\Settings.dll
* %ProgramFiles%\Sklgr30\Sk.exe
* %ProgramFiles%\Sklgr30\sklgr.exe
* %ProgramFiles%\Sklgr30\UnInstaller.exe


Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP)
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

2. Adds the value:

"sysApp" = "C:\Program Files\Sklgr30\sklgr.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. Monitors and records keystrokes, instant message conversations, and Web sites visited.

4. Periodically captures screenshots.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube