Trojan-Spy.Win32.Dks.131.b
| Alert Level : | Medium |
| Discovered: | Mar 22 2007 |
| Tag: | Trojan Spy |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan logs the user’s keystrokes. It is a Windows PE EXE file. It is written in Visual C . The file is 6,144 bytes in size. The file is packed using UPX. The unpacked file is approximately 31KB in size.
InstallationOnce launched, the Trojan copies itself to the Windows system directory as "SYSTEMEKS.EXE":
%System%\SYSTEMKS.EXEThe Trojan also creates a file called "systemks.dll" in the Windows system registry:
%System%\systemks.dll (11,776 bytes)This file intercepts information entered via the keyboard and writes it to a log file.
The Trojan also creates a file called "sysadks.dll" in the Windows system registry:
%System%\sysadks.dll (4,608 bytes)It registers this file in the system registry:
[HKCR\CLSID\<randomly generated number>\InProcServer32]
"default"="sysadks.dll"
[HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sysadks"="<randomly generated number>"
The Trojan will also track its repeated launch by searching for a window titled “systemks”.
Payload
The Trojan intercepts information entered via the keyboard, determines the language it has been entered in, tracks window operations and then writes this information to the following file:
%System%\kslog.datRemoval Trojan-Spy.Win32.Dks.131.b instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the files created by the Trojan:
%System%\SYSTEMKS.EXE
%System%\systemks.dll
%System%\sysadks.dll
%System%\kslog.dat - Delete the following registry key value:
[HKCR\CLSID\
Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!
