HUNTER'S LOG
home | requirements | help | contact | scan now  
 
Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.


Archive

- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20060421 230057

 

A silent, but dangerous threat that can catch people off guard are keyloggers. Keyloggers may silently log keystrokes made on a keyboard, capture computer activity, and send this information to a remote location. This sensitive information can easily be used to steal login names, passwords, and personal details which can lead to identity theft. Many keyloggers come downloaded and silently installed by trojan files. There are also commercial keyloggers available that can be purchased and intentionally installed by users who want to monitor the activity on their computer.

First let’s take a look at some keyloggers that come installed by trojan files.

Keylogger.msconfg comes silently installed by trojan files. This devious program will secretly log all keystrokes and sends the collected information to a remote location. This program will also run silently in the background. Here are the details of this malicious program.

C:\WINDOWS\system32\msconfg.exe
C:\WINDOWS\system32\servic.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="msconfg.exe"
"Microsoft Update 32"="servic.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update"="msconfg.exe"
"Microsoft Update 32"="servic.exe"


[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="msconfg.exe"

[HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-1003\Software\Microsoft\OLE]
"Microsoft Update 32"="servic.exe"

The files of Keylogger.msconfg are usually hidden to help prevent the average user from detecting its presence.

Keylogger.winldra is another keylogger that comes silently installed by trojan files. The details:

C:\WINDOWS\dvpd.dll
C:\WINDOWS\netdx.dat
C:\WINDOWS\prntsvra.dll
C:\WINDOWS\socks.dat
C:\WINDOWS\winsms.dll
C:\WINDOWS\system32\winldra1.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"load32"="C:\\WINDOWS\\System32\\winldra1.exe"

[HKEY_USERS\S-1-5-21-1085031214-1708537768-839522115-500\Software\SARS]
"SocksPort"=dword:00002fa7
"mailsended"="1"

Keylogger.winldra specifically monitors for visits to websites of financial institutions such as Citibank.com, Plainscapital.com, and Firstdirect.com. It will silently record login and password information and send this information to a remote location.

Now let’s look at some commercial keyloggers that users can download and purchase to monitor the activity on their personal computers. Wintective Keylogger is one such commercial keylogger. It not only logs keystrokes, but also captures screenshots of computer activity.


Directory of C:\Program Files\wintective\ST6UNST.LOG
Directory of C:\Program Files\wintective\wintective.dat
Directory of C:\Program Files\wintective\wintective.exe
Directory of C:\Program Files\wintective\logs\key_log.htm
Directory of C:\Program Files\wintective\url_log.htm

Directory of C:\WINDOWS\system32\COMDLG32.OCX
Directory of C:\WINDOWS\system32\MSSTDFMT.DLL
Directory of C:\WINDOWS\system32\mswinsck.ocx
Directory of C:\WINDOWS\system32\VB6STKIT.DLL
Directory of C:\WINDOWS\system32\wintective.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}]
"(Default)"="OSSMTP.Attachment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\InprocServer32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\ProgID]
"(Default)"="OSSMTP.Attachment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\TypeLib]
"(Default)"="{AA987BF8-E849-4996-9335-413DF4A8158A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}\VERSION]
"(Default)"="13.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}]
"(Default)"="OSSMTP.SMTPSession"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\InprocServer32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\ProgID]
"(Default)"="OSSMTP.SMTPSession"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\TypeLib]
"(Default)"="{AA987BF8-E849-4996-9335-413DF4A8158A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}\VERSION]
"(Default)"="13.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}]
"(Default)"="OSSMTP.CustomHeader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\InprocServer32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\ProgID]
"(Default)"="OSSMTP.CustomHeader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\TypeLib]
"(Default)"="{AA987BF8-E849-4996-9335-413DF4A8158A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}\VERSION]
"(Default)"="13.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0]
"(Default)"="OSSMTP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\0\win32]
"(Default)"="C:\WINDOWS\System32\wintective.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\FLAGS]
"(Default)"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}\d.0\HELPDIR]
"(Default)"="C:\WINDOWS\System32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wintective.exe]
"(Default)"="C:\Program Files\wintective\wintective.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ST6UNST #1]
"ApplicationName"="wintective.exe"
"DisplayName"="Wintective KeyLogger and ScreenShot Capture"
"UninstallString"="C:\WINDOWS\st6unst.exe -n "C:\Program Files\wintective\ST6UNST.LOG" "
"AppToUninstall"="wintective.exe"

Another commercial keylogger is the iOpus Starr Keylogger. This keylogger runs silently and installs using random file names to further avoid detection. This keylogger can log keystrokes, capture screenshots, and allow remote access to this information.

C:\Documents and Settings\All Users\Application Data\vxdKrn\
wzC4F507zOoJReQBQLn8ROmq10a+5KA9iAYYiAB2cfQ=.dat

Directory of C:\WINDOWS\system32
actmon.exe
vxdKrn.exe
vxdKrnb.dll
vxdKrnb.exe
vxdKrnc.dll
vxdKrnc.vxd
vxdKrnd.dll
vxdKrne.dll

Directory of C:\WINDOWS\system32\drivers
vxdKrnc.sys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"vxdKrn"="\"C:\\WINDOWS\\System32\\vxdKrn.exe\" -at"

[HKEY_LOCAL_MACHINE\SOFTWARE\vxdKrn]

[HKEY_LOCAL_MACHINE\SOFTWARE\vxdKrn\Shared]
"2000400"="F83sBd8Z3hjsvVEg3gmS7g=="
"2000300"="BsbqzaX24vQcqaIWDA7zWg=="
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vxdKrnc]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vxdKrnc\Enum]
"0"="ACPI\\PNP0303\\4&11876118&0"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vxdKrnc]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vxdKrnc]
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vxdKrnc\Enum]
"0"="ACPI\\PNP0303\\4&11876118&0"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Most Keyloggers run silently and many come unknowingly installed by trojan files, while commercial keyloggers usually come intentionally installed. Spyware Nuker has the ability to detect and remove many commercial and trojan-installed keyloggers. Count on Spyware Nuker to help secure your personal information and to help prevent identity theft.

 

End of Entry
 Download | Order Now | Partners | Index | Hunter's Log | EULA | Privacy Policy   © 2002-2007 TrekBlue, Inc.