Home / malwarePDF  

TrojanSpy:Win32/Keylogger.FQ


First posted on 20 March 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Keylogger.FQ is also known as Trojan-Spy.Win32.KeyLogger.rcf (Kaspersky), Spyware/Win32/KeyLogger (AhnLab), TR/Spy.Gen7 (Avira), Trojan.Click2.11612 (Dr.Web).

Explanation :

TrojanSpy:Win32/Keylogger.FQ is a trojan that steals user name and password details during either a Windows logon or remote desktop client sessions.
Top

TrojanSpy:Win32/Keylogger.FQ is a trojan that steals user name and password details during either a Windows logon or remote desktop client sessions.

Installation
This trojan may be installed by another malicious process as a randomly named file that runs as a service as in the following example registry data modifications: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\thefqliuocfvaq Sets value: "Start" With data: "2" (Automatic) Sets value: "ErrorControl" With data: "0"
Sets value: "DisplayName" With data: "thefqliuocfvaq" Note: the name "thefqliuocfvaq" is randomly generated and may vary among installations of the trojan. This malware may be instructed by another component to install, start, stop or delete the service.

Payload
Steals data The trojan runs in the background with elevated privileges, under the system account. It may capture user entered login details when the user logs into Windows or remote desktop client. To perform this task, the malware makes certain system API calls including:

  • WTSGetActiveConsoleSessionId() - used to get the active remote console session ID
  • WTSQueryUserToken() and DuplicateTokenEx() - used to access the Winlogon system process token


Analysis by Rex Plantado

Last update 20 March 2012

 

TOP