Subscribe
When launching, the Trojan performs the following actions:
- gets all passwords stored in the system using an undocumented call function in WNetEnumCachedPasswords
- tracks keystrokes within windows and gets information entered by the user
- saves data to the following log file:
%WinDir%\winlog.dat
This log file is an HTML document. The title of windows used are saved to this file, as is the sequence of keystrokes within the windows. - send harvested information by email to the remote malicious user at the following address: *****web@gem.net.pk
The log file includes the IP address of the victim machine.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%System%\win2k2.exe
%WinDir%\winlog.dat - Delete the following system registry key parameter:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\win2k2.exe" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This Trojan is designed to intercept information entered via the keyboard. It is a Windows PE EXE file. The file is 427,008 bytes in size.
InstallationWhen launched, the backdoor copies its executable file to the Windows system directory:
%System%\win2k2.exe
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]"load" = "%System%\win2k2.exe" Payload
Hot Articles