Trojan-Spy.Win32.SCKeyLog

Detect Date 11/02/2006
Class Trojan-Spy
Platform Win32
Description

Once launched, the Trojan performs the following actions:

  • It extracts files from its body and saves them in the system as:
    %System%secsrvrc.exe

    (29 184 bytes; detected by Kaspersky Anti-Virus as “Trojan-Spy.Win32.SCKeyLog.au”)

    %System%secsrvrc.dll

    (15 360 bytes; detected by Kaspersky Anti-Virus as “Trojan-Spy.Win32.SCKeyLog.at”)

    The files are created with the “hidden” and “system” attributes.

  • It registers the extracted library in the system registry by creating the following keys:
    
    
    
    [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysecsrvrc]
    
    
    
    "DllName" = "secsrvrc.dll"
    
    
    
    "Asynchronous" = "0"
    
    
    
    "Impersonate" = "0"
    
    
    
    "Lock" = "WLELock"
    
    
    
    "Logoff" = "WLELogoff"
    
    
    
    "Logon" = "WLELogon"
    
    
    
    "Shutdown" = "WLEShutdown"
    
    
    
    "StartScreenSaver" = "WLEStartScreenSaver"
    
    
    
    "Startup" = "WLEStartup"
    
    
    
    "StopScreenSaver" = "WLEStopScreenSaver"
    
    
    
    "Unlock" = "WLEUnlock"
    
    
    
    

    The extracted “secsrvrc.dll” library is therefore automatically loaded into the address space of the “WINLOGON.EXE” process each time the system is restarted. In response to different events taking place in the system (user login, logout, etc) the Trojan will call the corresponding functions from the “secsrvrc.dll” library.

  • To ensure that the previously extracted file “secsrvrc.exe” is launched automatically each time the system is rebooted, the following system registry key is created:
    
    
    
    [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
    
    
    
    "secsrvrc" = "%System%secsrvrc.exe"
    
    
    
    
  • It launches the file “secsrvrc.exe” for execution.

The Trojan then ceases running.

When running, the Trojan saves its log to the following file:

%Temp%LogFile.Log

The content of this log is sent to the malicious user by email.

Once launched, the “secsrvrc.exe” process performs the following actions:

  • If the infected computer is running Windows 9x, the Trojan hides its process using the undocumented function “RegisterServiceProcess”.
  • It calls the following functions from the “%System%secsrvrc.dll” library:
    
    
    
    SetLOpt
    
    
    
    StartL