A silent, but dangerous threat that can catch people off guard are keyloggers. Keyloggers may silently log keystrokes made on a keyboard, capture computer activity, and send this information to a remote location. This sensitive information can easily be used to steal login names, passwords, and personal details which can lead to identity theft. Many keyloggers come downloaded and silently installed by trojan files. There are also commercial keyloggers available that can be purchased and intentionally installed by users who want to monitor the activity on their computer.

First let’s take a look at some keyloggers that come installed by trojan files.

Keylogger.msconfg comes silently installed by trojan files. This devious program will secretly log all keystrokes and sends the collected information to a remote location. This program will also run silently in the background. Here are the details of this malicious program.

C:\WINDOWS\system32\msconfg.exe
C:\WINDOWS\system32\servic.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="msconfg.exe"
"Microsoft Update 32"="servic.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update"="msconfg.exe"
"Microsoft Update 32"="servic.exe"

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="msconfg.exe"

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\Microsoft\OLE]
"Microsoft Update 32"="servic.exe"

The files of Keylogger.msconfg are usually hidden to help prevent the average user from detecting its presence.

Keylogger.winldra is another keylogger that comes silently installed by trojan files. The details:

C:\WINDOWS\dvpd.dll
C:\WINDOWS\netdx.dat
C:\WINDOWS\prntsvra.dll
C:\WINDOWS\socks.dat
C:\WINDOWS\winsms.dll
C:\WINDOWS\system32\winldra1.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"load32"="C:\\WINDOWS\\System32\\winldra1.exe"

[HKEY_USERS\S-1-5-21-1085031214-1708537768-839522115-500\Software\SARS]
"SocksPort"=dword:00002fa7
"mailsended"="1"

Keylogger.winldra specifically monitors for visits to websites of financial institutions such as Citibank.com, Plainscapital.com, and Firstdirect.com. It will silently record login and password information and send this information to a remote location.

Now let’s look at some commercial keyloggers that users can download and purchase to monitor the activity on their personal computers. Wintective Keylogger is one such commercial keylogger. It not only logs keystrokes, but also captures screenshots of computer activity.

Directory of C:\Program Files\wintective\ST6UNST.LOG
Directory of C:\Program Files\wintective\wintective.dat
Directory of C:\Program Files\wintective\wintective.exe
Directory of C:\Program Files\wintective\logs\key_log.htm
Directory of C:\Program Files\wintective\url_log.htm

Directory of C:\WINDOWS\system32\COMDLG32.OCX
Directory of C:\WINDOWS\system32\MSSTDFMT.DLL
Directory of C:\WINDOWS\system32\mswinsck.ocx
Directory of C:\WINDOWS\system32\VB6STKIT.DLL
Directory of C:\WINDOWS\system32\wintective.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}]
"(Default)"="OSSMTP.Attachment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\InprocServer32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\ProgID]
"(Default)"="OSSMTP.Attachment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\TypeLib]
"(Default)"="{AA987BF8-E849-4996-9335-413DF4A8158A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\VERSION]
"(Default)"="13.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}]
"(Default)"="OSSMTP.SMTPSession"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\InprocServer32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\ProgID]
"(Default)"="OSSMTP.SMTPSession"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\TypeLib]
"(Default)"="{AA987BF8-E849-4996-9335-413DF4A8158A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\VERSION]
"(Default)"="13.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}]
"(Default)"="OSSMTP.CustomHeader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\InprocServer32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\ProgID]
"(Default)"="OSSMTP.CustomHeader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\TypeLib]
"(Default)"="{AA987BF8-E849-4996-9335-413DF4A8158A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\VERSION]
"(Default)"="13.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0]
"(Default)"="OSSMTP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\0\win32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\FLAGS]
"(Default)"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\HELPDIR]
"(Default)"="C:\WINDOWS\System32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wintective.exe]
"(Default)"="C:\Program Files\wintective\wintective.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #1]
"ApplicationName"="wintective.exe"
"DisplayName"="Wintective KeyLogger and ScreenShot Capture"
"UninstallString"="C:\WINDOWS\st6unst.exe -n "C:\Program Files\wintective\ST6UNST.LOG" "
"AppToUninstall"="wintective.exe"

Another commercial keylogger is the iOpus Starr Keylogger. This keylogger runs silently and installs using random file names to further avoid detection. This keylogger can log keystrokes, capture screenshots, and allow remote access to this information.

C:\Documents and Settings\All Users\Application Data\vxdKrn\
wzC4F507zOoJReQBQLn8ROmq10a+5KA9iAYYiAB2cfQ=.dat

Directory of C:\WINDOWS\system32
actmon.exe
vxdKrn.exe
vxdKrnb.dll
vxdKrnb.exe
vxdKrnc.dll
vxdKrnc.vxd
vxdKrnd.dll
vxdKrne.dll

Directory of C:\WINDOWS\system32\drivers
vxdKrnc.sys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"vxdKrn"="\"C:\\WINDOWS\\System32\\vxdKrn.exe\" -at"

[HKEY_LOCAL_MACHINE\SOFTWARE\vxdKrn]

[HKEY_LOCAL_MACHINE\SOFTWARE\vxdKrn\Shared]
"2000400"="F83sBd8Z3hjsvVEg3gmS7g=="
"2000300"="BsbqzaX24vQcqaIWDA7zWg=="
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vxdKrnc]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vxdKrnc\Enum]
"0"="ACPI\\PNP0303\\4&11876118&0"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vxdKrnc]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vxdKrnc]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vxdKrnc\Enum]
"0"="ACPI\\PNP0303\\4&11876118&0"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Most Keyloggers run silently and many come unknowingly installed by trojan files, while commercial keyloggers usually come intentionally installed. Spyware Nuker has the ability to detect and remove many commercial and trojan-installed keyloggers. Count on Spyware Nuker to help secure your personal information and to help prevent identity theft.

Finding spyware is not all that difficult. It is sometimes difficult to distinguish one spyware program from another. Often they will display very similar behavior. What makes it most difficult is that it is very common for one spyware program to install another. Some programs entire purpose is to do just that. One example of this is Downloader.Vxgame. This downloader seems to be continuously updating. Its entire purpose is to download and install different spyware programs.
I found a new unwanted program on my test PC recently after a visit to a nefarious website installed Downloader.Vxgame which caused a series of automated downloads. This new item, “Trojan.Update32” did not show itself right away. After removing the known spyware items installed by Downloader.Vxgame, the PC appeared to be running normally. After a few minutes though, it was evident that the PC was running slower than normal. An inspection of the network activity showed that the PC was still infected. There was quite a bit of unsolicited network activity going on even without any web browsers windows open:

All of this activity could bring a dialup connection to a crawl. After a bit the program started downloading advertisements. Some of these were very annoying windows that would launch new browser windows as soon as the first was closed. Quite of few of these windows were loading advertisements which with pornographic content and more than one or two of them were not in English:

After inspecting the network activity that was happening in the background, it appeared that the infection was doing more than just downloading advertisements. It made several connections to the same domain and sent lists of the files found on the computers root folder. It also seemed to maintain two or three connections active at all time even once all the browser windows were closed. Here’s an example from an execution of the windows utility netstat:

An interesting aspect of Trojan.Update32 is that it hides its main file in random folders that already exist on the PC. Most malicious programs will hide their files among the windows or windows system files on the PC. Running this program twice on clean installations of windows revealed that it would randomly select an existing folder in the program files directory and insert its file there to avoid arousing suspicion by creating a new folder.

c:\program files\beyond compare 2\
wintofs32.dll

Directory of C:\Program Files\INAC\Anti Spyware\
wintofs32.dll

It would launch itself on reboot by creating a registry entry under the delay load key using the name of the program in which folder it had inserted itself. In this way, when a user looks in the registry at the different points where objects can be loaded, he or she will see the name of the program that the user already has installed on their PC.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BC 2"="{24B2B197-D6D3-2290-7E3D-1F81BE3D36E1}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"INAC ASAP"="{52AA77E3-97C4-5707-C3BC-DD3E85B64B4F}"

After an update of Spyware Nuker it was as easy as running a deep scan to remove this item. It’s a challenge, but we work day in and day out to make sure all of the new malicious programs can be removed from our customer’s PCs.

Lets take a look at a harmful worm that, quite possibly, could be spreading through emails and file sharing networks as you read this. Downloader.Winsupdater is capable of not only self distribution through emails and file sharing, but will also attempt to disable certain system utilities such as Windows Registry Editor and Task Manager.

This worm, Downloader.Winsupdater, may place itself and it’s backups into the following locations on an infected computer:

%Profile%\Local Settings\Temp\Temporary Directory 1 for a.zip\Setup.exe

%ProgramFiles%\winsupdater\winsupdater.exe
%ProgramFiles%\winsupdater\a.tmp
%ProgramFiles%\winsupdater\a.zip

%ProgramFiles%\winupdates\winupdates.exe
%ProgramFiles%\winupdates\a.tmp
%ProgramFiles%\winupdates\a.zip

Downloader.Winsupdater will drop and hide the following files into the Windows system folder:

%System%\bszip.dll
%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com

These files will attempt to disable certain Windows utilities to prevent the end-user from troubleshooting and/or successfully removing the infection.

The worm also adds the following entries to the infected computer’s registry to ensure that it gets executed when the computer starts up.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"winsupdater"="C:\Program Files\winsupdater\winsupdater.exe /auto"
"winupdates"="C:\Program Files\winupdates\winupdates.exe /auto"
"(Default)"="winlog.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"(Default)"="winlog.exe"

HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-003\Software\Microsoft\OLE
"(Default)"="winlog.exe"

Once installed, the worm will attempt to distribute itself via emails or file shares and silently connect to a remote location to download and install other harmful files. Thankfully, Spyware Nuker XT can detect and remove this infection. But most importantly, Spyware Nuker XT can prevent the worm’s installer from executing.

Usually, when a computer is infected with adware/spyware or other malicious programs we expect to see the common symptoms. Programs will crash, unusual messages will display, pop-up ads will appear, or common utilities will not function properly. Recently I ran across two malware programs that did not exhibit any of these symptoms. The actions that are being taken by malware programs that we can not see can be quite harmful as well.

The two programs I discovered recently with none of the normal symptoms were running in the background and using the computers internet connection to send out spam e-mail. A company or person wanting to send out spam e-mails would want to use another person’s internet connection to do so, so that they would be less likely to be discovered as the source of the spam.

The first of these two programs, 'Malware.sndmixex' is the least sophisticated of the two. It still manages to send out its e-mails without making itself visible to the PC user. This program seems to use and target Yahoo.com e-mail addresses. Without launching an internet browser, it logs into mail.yahoo.com with rogue e-mail accounts and sends out spam e-mails to multiple addresses. It downloads address lists and spam messages to send out. When I installed it on my test machine, it started with addresses beginning with 'va' The next time I checked the messages were going to addresses beginning with 'vo'. All of the addresses were @yahoo.com. Each time I checked, the messages were being sent from a different rogue yahoo mail account. This is an example of an address used 'Cristy56075Saretta19579@yahoo.com'.

In the example shown here of the 'sent message' page that was created in the background by Malware.sndmixex, I have erased parts of the e-mail addresses so they will not be copied by others wanting to send out spam.

The second program 'Malware.Mailspam' used a more sophisticated system. It actually used the PC as a SMTP server. It was not using a third party mail program such as mail.yahoo.com to send out its messages. It was actually using the SMTP protocol and sending out e-mails directly. This program was much more active. It was making hundreds of connections at once and sending out many more messages. Using the windows utility, netstat, it was easy to see how many network connections this program was making.
After seeing all the connections being made I started monitoring the network connections with a more sophisticated network packet sniffer. With this sniffer I was able to see the content of the packets being sent by malware.mailspam. Here are the some examples of the types of messages being sent:
' Do you like refined Young schoolgirls doing fascinating . . . '
' Do you want radiant sweet virgin girls. . .'

These sexually explicit messages also contained hyperlinks to try to get the recipients of the e-mails to visit pornographic websites. The sniffer also shows that the messages were being sent using the SMTP protocol.

Having a program like this installed on ones PC is not only damaging to the recipients of the spam e-mail messages. Such heavy use of ones network connection can slow it down, especially if it is not a high bandwidth connection. A second problem is that many Internet service providers have set a limit to the bandwidth usage allowed. With such heavy usage of the network connection, this limit could easily be exceeded. Another problem, especially with the Malware.mailspam program, is that since the local PC itself is being used as a mail server to send out spam messages, ones internet service provider could suspend the account. It’s obvious that these programs are unwanted. A scan with Spyware Nuker can quickly stop the malicious program from sending out the unwanted spam messages.