Home / malware Trojan.Keylog.ZKT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Keylog.ZKT is also known as Backdoor:Win32/PoisonIvy.E.
Explanation :
The virus searches for explorer.exe process and if it's found injects its code into it.
The injected code rewrites the file %WINDIR%mht32.exe with own copy.
After that it searches for Installed components in HKLMSOFTWAREMicrosoftActive SetupInstalled Components with StubPath pointing to %WINDIR%mht32.exe. If this is found, deletes it. After that a component with CLSID {272BF88D-A474-622F-9684-E4E7FA186643} with StubPath pointing to the virus is created.
The virus modifies the registry value in order to be executed at every system startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun:
mkr32 = %WINDIR%mht32.exe
The code injected into explorer.exe process monitors all system messages and logs all pressed keys and window titles it comes from into %WINDIR%mht32 file.
After it starts the default system browser and also injects there its code which tries to connect to [removed]-pppoe.avangarddsl.ru at port 23423 and to send there collected data from infected computer.
In fact it is a remote keylogger which sends the log file to the destination host.Last update 21 November 2011
