Cart
Trojan.Keylog.ZKT( Backdoor:Win32/PoisonIvy.E )
SYMPTOMS: Presence of next files and registry keys in system:- %WINDIR%\mht32.exe TECHNICAL DESCRIPTION: The virus searches for explorer.exe process and if it's found injects its code into it.The injected code rewrites the file %WINDIR%\mht32.exe with own copy. After that it searches for Installed components in HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components with StubPath pointing to %WINDIR%\mht32.exe. If this is found, deletes it. After that a component with CLSID {272BF88D-A474-622F-9684-E4E7FA186643} with StubPath pointing to the virus is created. The virus modifies the registry value in order to be executed at every system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:The code injected into explorer.exe process monitors all system messages and logs all pressed keys and window titles it comes from into %WINDIR%\mht32 file. After it starts the default system browser and also injects there its code which tries to connect to [removed]-pppoe.avangarddsl.ru at port 23423 and to send there collected data from infected computer. In fact it is a remote keylogger which sends the log file to the destination host. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Suiu Andrei, virus researcher |