Trojan-Spy.Win32.Dks.11.a
| Alert Level : | Medium |
| Discovered: | Nov 03 2006 |
| Tag: | Trojan Spy |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan logs the user’s keystrokes. It is a Windows PE EXE file. It is written in Visual C . The file is 12,288 bytes in size. It is packed using ASPack. The unpacked file is approximately 40KB in size.
InstallationOnce launched, the Trojan copies itself to the Windows system directory as "ks001.exe":
%System%\ks001.exeIt then registers itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "systemks" = "ks001.exe"This ensures that the Trojan will be launched each time Windows is booted on the victim machine.
The Trojan also creates a file called "ks001.dll" in the Windows system registry:
%System%\ks001.dll (8 704 bytes)This file intercepts information entered via the keyboard and writes it to a log file.
The Trojan will also track its repeated launch by search for a window with the heading “systemks”.
Payload
The Trojan intercepts information entered via the keyboard, determines the language it has been entered in, tracks window operations and then writes this information to the following file:
%System%\ks000log.txtRemoval Trojan-Spy.Win32.Dks.11.a instructions:
- Delete the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the files created by the Trojan:
%System%\ks001.exe
%System%\ks001.dll
%System%\ks000log.txt - Delete the following registry key value:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"systemks" = "ks001.exe" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Need help? Live computer support via remote at SupportSpace |
