Trojan-Spy.Win32.SCKeyLog

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Spy

Trojan-Spy programs are used to spy on a user’s actions (to track data entered by keyboard, make screen shots, retrieve a list of running applications, etc.) The harvested information is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request) and other methods can be used to transmit the data.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Once launched, the Trojan performs the following actions:

• It extracts files from its body and saves them in the system as:

  %System%secsrvrc.exe

  (29 184 bytes; detected by Kaspersky Anti-Virus as "Trojan-Spy.Win32.SCKeyLog.au")

  %System%secsrvrc.dll

  (15 360 bytes; detected by Kaspersky Anti-Virus as "Trojan-Spy.Win32.SCKeyLog.at") The files are created with the "hidden" and "system" attributes.
• It registers the extracted library in the system registry by creating the following keys:

  
  
  
  [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysecsrvrc]
  
  
  
  "DllName" = "secsrvrc.dll"
  
  
  
  "Asynchronous" = "0"
  
  
  
  "Impersonate" = "0"
  
  
  
  "Lock" = "WLELock"
  
  
  
  "Logoff" = "WLELogoff"
  
  
  
  "Logon" = "WLELogon"
  
  
  
  "Shutdown" = "WLEShutdown"
  
  
  
  "StartScreenSaver" = "WLEStartScreenSaver"
  
  
  
  "Startup" = "WLEStartup"
  
  
  
  "StopScreenSaver" = "WLEStopScreenSaver"
  
  
  
  "Unlock" = "WLEUnlock"
  
  
  
  

  The extracted "secsrvrc.dll" library is therefore automatically loaded into the address space of the "WINLOGON.EXE" process each time the system is restarted. In response to different events taking place in the system (user login, logout, etc) the Trojan will call the corresponding functions from the "secsrvrc.dll" library.
• To ensure that the previously extracted file "secsrvrc.exe" is launched automatically each time the system is rebooted, the following system registry key is created:

  
  
  
  [HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
  
  
  
  "secsrvrc" = "%System%secsrvrc.exe"
  
  
  
  

• It launches the file "secsrvrc.exe" for execution.

The Trojan then ceases running.

When running, the Trojan saves its log to the following file:

%Temp%LogFile.Log

The content of this log is sent to the malicious user by email.

Once launched, the "secsrvrc.exe" process performs the following actions:

• If the infected computer is running Windows 9x, the Trojan hides its process using the undocumented function "RegisterServiceProcess".
• It calls the following functions from the "%System%secsrvrc.dll" library:

  
  
  
  SetLOpt
  
  
  
  StartL
  
  
  
  

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com