Subscribe
The Trojan intercepts information entered via the keyboard, determines the language it has been entered in, tracks window operations and then writes this information to the following file:
%System%\kslog.dat- Use Task Manager to terminate the Trojan process
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the files created by the Trojan:
%System%\SYSTEMKS.EXE
%System%\systemks.dll
%System%\sysadks.dll
%System%\kslog.dat - Delete the following registry key values:
[HKCR\CLSID\
This Trojan logs the user’s keystrokes. It is a Windows PE EXE file. It is written in Visual C . The file is 6,656 bytes in size. It is packed using UPX. The unpacked file is approximately 27KB in size.
InstallationOnce launched, the Trojan copies itself to the Windows system directory as "SYSTEMEKS.EXE":
%System%\SYSTEMKS.EXEThe Trojan also creates a file called "systemks.dll" in the Windows system registry:
%System%\systemks.dll (5,120 bytes)The Trojan also creates a file called "sysadks.dll" in the Windows system registry:
%System%\systadks.dll (3,072 bytes)It registers this file in the system registry:
[HKCR\CLSID\<randomly generated number>\InProcServer32]
"default" = "sysadks.dll" [HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sysadks" = "<randomly generated number>"The Trojan will also track its repeated launch by searching for a window titled “systemks”.
Payload
Hot Articles