Home / malwarePDF  

MonitoringTool:Win32/FamilyKeyLogger


First posted on 23 October 2012.
Source: Microsoft

Aliases :

MonitoringTool:Win32/FamilyKeyLogger is also known as Keylog-Family (McAfee), FamilyKeylogger (Sophos).

Explanation :



MonitoringTool:Win32/FamilyKeyLogger is a commercial monitoring tool called "Family Keylogger". It can stealthily record your keystrokes and track applications you launch, emails you send, websites you visit and information you type into website forms.

This tool may be present and installed intentionally by a computer user.



Installation

When first run, MonitoringTool:Win32/FamilyKeyLogger may create the following files:

  • <random name>.dll
  • <random name>.exe
  • QuickStart.html
  • uninstall.exe


Where <random name> is a specific string that differs between installations of the tool. In the wild, we have observed the following names:

  • cisvc
  • ctfmon
  • mw2mmgr32
  • mwmmgr32
  • svcdotnet
  • svcnet2


The tool creates these files in a folder path that also differs between installations of the tool. In the wild, we have observed the following folder paths:

  • %ProgramFiles%\FamilyKeyLogger
  • %windir%\mw2mmgr32
  • %windir%\svcdotnet
  • %windir%\svcnet2
  • <system folder>\CTF
  • <system folder>\mwmmgr32


For example, we have observed the following files and folder paths for one installation of the tool:

  • %ProgramFiles%\FamilyKeyLogger\cisvc.dll
  • %ProgramFiles%\FamilyKeyLogger\cisvc.exe
  • %ProgramFiles%\FamilyKeyLogger\QuickStart.html
  • %ProgramFiles%\FamilyKeyLogger\uninstall.exe


And the following for another installation of the tool:

  • <system folder>\CTF\ctfmon.dll
  • <system folder>\CTF\ctfmon.exe
  • <system folder>\CTF\QuickStart.html
  • <system folder>\CTF\uninstall.exe


Note: %ProgramFiles% refers to a variable location that is determined by the tool by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".

Note: %windir% refers to a variable location that is determined by the tool by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".

Note: <system folder> refers to a variable location that is determined by the tool by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

It also drops the following shortcut files (LNK) into the "<start menu>\Programs\Family Keylogger\" folder:

  • Family Keylogger.lnk
  • Help.lnk
  • Quick Start.lnk
  • Reset Settings.lnk
  • Uninstall.lnk


Note: <start menu> refers to a variable location that is determined by the tool by querying the operating system. The default location for the Start Menu folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu" or "C:\Users\<user>\Start Menu". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu".

MonitoringTool:Win32/FamilyKeyLogger modifies the registry to ensure that it runs at each Windows start. The value and data the tool modifies varies between installations; we have observed the following modifications:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svcnet2"
With data: "%windir%\svcnet2\svcnet2.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svcdotnet"
With data: "%windir%\svcdotnet\svcdotnet.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Sys32V2Contoller"
With data: "%windir%\mw2mmgr32\mw2mmgr32.exe"

It also modifies the registry to create an option in the Programs and Features control panel menu that will uninstall the tool.

The name of the registry subkey differs between installations of the tool; in the wild we have observed the following subkeys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FKL
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FamilyKeyLogger


The tool will set the following values and data under the chosen subkey:

Sets value: "DisplayName"
With data: "Family-Keylogger (remove only)"

Sets value: "UninstallString"
With data: "<path of "uninstall.exe">"

In our analysis, however, we determined that using this uninstallation option will not remove or delete the log file where the keystrokes and other information have been stored.

MonitoringTool:Win32/FamilyKeyLogger also creates the following registry keys, possibly to check if the tool has already been installed on your computer:

  • HKLM\Software\SAXP32\F4KL
  • HKLM\Software\svcdotnet
  • HKLM\Software\KMiNT21\FamilyKeyLogger
Additional information

The following is a screenshot of the monitoring tool's interface:



The tool also appears in the taskbar notification area, with the following pop-up menu:



The monitoring tool opens "QuickStart.html", which it creates during installation. The HTML file appears as follows:



MonitoringTool:Win32/FamilyKeyLogger stealthily records your keystrokes and tracks applications you launch, emails you send, websites you visit and information you type into website forms.

The gathered information may be saved into the following files, using the file name the tool used during its installation:

  • <random name>.cfg
  • <random name>.inc
  • <random name>.txt


For example, we have observed the following file names for one installation of the tool:

  • mwmmgr.cfg
  • mwmmgr.inc
  • mwmmgr.txt


And the following for another installation of the tool:

  • svcdotnet.cfg
  • svcdotnet.inc
  • svcdotnet.txt


It creates these files in either the "%ALLUSERSPROFILE%\Application Data" folder or the tool's original installation folder, for example:

  • %Program Files%\FamilyKeyLogger\cisvc.cfg
  • %Program Files%\FamilyKeyLogger\cisvc.inc
  • %Program Files%\FamilyKeyLogger\cisvc.txt


Note: %ALLUSERSPROFILE% refers to a variable location that is determined by the tool by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\All Users". For Windows Vista and 7, the default location is "C:\ProgramData".



Analysis by Ric Robielos

Last update 23 October 2012

 

TOP

Malware :