SecurityHome.eu Trojan-Spy:W32/KeyLogger.RK

Home / malware PDF

Trojan-Spy:W32/KeyLogger.RK

First posted on 31 October 2007.
Source: SecurityHome
Aliases :
Trojan-Spy:W32/KeyLogger.RK is also known as Trojan-Spy.Win32.KeyLogger.rk.
Explanation :
This is a key-logging trojan that logs all the keystrokes of the user and sends them to a certain website.

This malware may arrive as an attachment to a Microsoft Word RTF file.

Upon Execution, this malware displays the following fake error message:

It then drops the following files on Windows System folder:

%systemdir%GenuineLicence.exe - Trojan-Spy.Win32.KeyLogger.rk
%systemdir%kbd.dll - Trojan-Spy.Win32.KeyLogger.rk
%systemdir% est.dll - Trojan-Spy.Win32.KeyLogger.rl

Note: %systemdir% by default is C:Windowssystem32

It also creates the following registry key as part of its auto-start mechanism:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
service = "C:WINDOWSsystem32GenuineLicence.exe"

Initially, it will try to contact this url to set the infected machine's status

hxxp://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/trProj/setStatus.php

Then this malware sends the user's keystrokes including its ip address to this url:

hxxp://208.101.11.38/~mbs1/mail/cgi-bin/scripts/.old/trProj/saveKeLog.php

Last update 31 October 2007

TOP

Trojan-Spy:W32/KeyLogger.RK

Aliases :

Explanation :

Malware :

Family: