Home / malware TrojanSpy:MSIL/Hakey.A
First posted on 23 April 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:MSIL/Hakey.A.
Explanation :
Threat behavior
Installation
This threat creates a copy of itself with hidden attributes in the following location:
\Important\svchost.exe
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svchost"
With data: "\Important\svchost.exe"
The malware also modifies the following registry entries as a part of its malicious routine:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "dword:00000002"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "dword:00000001"
Payload
Records your keystrokes
This threat can monitor and record what you do on your PC. This includes:
- The keys you press
- Your mouse clicks
- The windows you open
The recorded information is saved to the log file %TEMP%\log.txt and is sent to a malicious hacker via email.
Additional information
This threat creates the mutex APName. This can be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Ric Robielos
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
\Important\svchost.exe
- You see these entries or keys in your registry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svchost"
With data: "\Important\svchost.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "dword:00000002"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "dword:00000000"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "dword:00000001"Last update 23 April 2015
