Community Home
★ Community Points System ★ Must read for newbies ★ Moderator Application★
 

Forum
Return list
2912 views|0 replies
liulichong

3

Posts

0

Resources
The OP
Published on 2006-7-25 12:38 Only look at the author
 

Trojan virus Trojan-Spy.Win32.KeyLogger.ba [Copy link]

Repost: Trojan virus Trojan-Spy.Win32.KeyLogger.ba

From Antiy Labs:
http://www.antiy.com/index.htm

Virus label:
Virus name: Trojan-Spy.Win32.KeyLogger.ba
Virus type: Trojan
file MD5: 8081C6A147C1958EAC7D1CD5691685C5
Disclosure: Fully disclosed
Hazard level: Medium
File length: 65,536 bytes
Infected system: Windows 98 or above
Development tools: Microsoft Visual Basic 5.0 - 6.0
Packer type: No
Naming comparison: Symentec [Keylogger.Trojan]
     Mcafee [Keylog-Curio]

Virus description:
  The virus icon is a system folder icon, and it is used to mislead users into thinking it is a folder and opening it. After the virus runs, it copies itself to %system% and creates a text file named keylogs.txt under %windir% to record the keyboard, modify the registry to add startup items, and achieve the purpose of random startup. The virus records information such as the programs opened, time, and keystrokes, thereby stealing sensitive information such as user passwords. The virus is harmful to users.

Behavior analysis:
1. After the virus runs, it copies itself to the system disk and creates a text file to record keyboard operations:
%system%\(virus name).exe
%windir%keylogs.txt

2. Create a new registry key and add a startup item to achieve the purpose of random startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Key value: String: "NortonLiveUpdate"="(path where the virus is located)"

Note: %System% is a variable path. The virus determines the location of the current System folder by querying the operating system. The default installation path in Windows 2000/NT is C:\Winnt\System, the default installation path in Windows 95/98/me is C:\Windows\System, and the default installation path in Windows XP is C:\Windows\System.
%windir% is a variable path. The default installation path in Windows 2000/NT is C:\Winnt, and the default installation path in Windows 95/98/me/xp is C:\Windows.

Removal plan:
1. Use Antiy Trojan Defense to completely remove this virus (recommended).

2. Manual removal Please delete the corresponding files according to the behavior analysis and restore the relevant system settings.
(1) Use Antiy Trojan Defense "Process Management" to close the virus process
(2) Delete the virus file
%system%\(virus name).exe
%windir%keylogs.txt
(3) Restore the registry items modified by the virus and delete the registry items added by the virus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Key value: String: "NortonLiveUpdate"="(virus path)"

Attachment:
Antiy Trojan Defense 2005+ trial version download address:
http://www.antiy.com/product/ghostbusters/index.htm
Virus reporting mailbox: submit@virusview.net


footer
This post is from RF/Wirelessly
 
物联网应用技术
Return list
Guess Your Favourite
Just looking around
Find a datasheet?
Search

EEWorld Datasheet Technical Support

Hot tag
Related articles more>>
New Posts
Featured
快速回复 返回顶部 Return list