Home / malware MonitoringTool:Win32/Mipko
First posted on 14 October 2014.
Source: MicrosoftAliases :
There are no other names known for MonitoringTool:Win32/Mipko.
Explanation :
Threat behavior
Installation
The tool creates a registry entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ so that it runs each time you start your PC.
It can install the following files into the folder %SystemRoot%\system32\mpk:
- cinfo.bin
- icon_1.ico
- libeay32.dll
- lnkmst.exe
- lsynchost.exe
- MPK.dll
- MPK.exe
- MPK64.dll
- MpkHCA.dll
- MpkHCQ12.dll
- MPKInst.exe
- MpkL64.exe
- MPKView.exe
- ogg.dll
- sqlite3.dll
- ssleay32.dll
- unins000.dat
- unins000.exe
- unins000.msg
- Vorbis.dll
- vorbisenc.dll
- vorbisfile.dll
- zlib1.dll
Behavior
The tool can run in a hidden mode - this means you won't see that it's running.
It can capture what you are doing on your PC. In particular, it can:
- Send an alert via email when it sees specified keywords and phrases
- Automatically record screenshots
- Intercept and keep a record of all running applications
- Intercept and keep a record of communications in chat rooms and instant messengers
- Log and record what you type on your keyboard, such as usernames and passwords
- Monitor the contents of your clipboard
- Periodically take pictures with your webcam
It can send this information to an email address or over an FTP connection that is specified when the tool is installed.
Analysis by Mihai Calota
Symptoms
The following could indicate that you have this program on your PC:
- You have these files in the folder %SystemRoot%\system32\mpk:
- cinfo.bin
- icon_1.ico
- libeay32.dll
- lnkmst.exe
- lsynchost.exe
- MPK.dll
- MPK.exe
- MPK64.dll
- MpkHCA.dll
- MpkHCQ12.dll
- MPKInst.exe
- MpkL64.exe
- MPKView.exe
- ogg.dll
- sqlite3.dll
- ssleay32.dll
- unins000.dat
- unins000.exe
- unins000.msg
- Vorbis.dll
- vorbisenc.dll
- vorbisfile.dll
- zlib1.dll
Last update 14 October 2014
