Trojan-Spy.Win32.SCKeyLog.au

Technical Details

This Trojan has a malicious payload. It is a Windows application (PE EXE file). It is 44 813 bytes in size. It is written in C++.

Payload

Once launched, the Trojan performs the following actions:

• It extracts files from its body and saves them in the system as:

  %System%\secsrvrc.exe

  (29 184 bytes; detected by Kaspersky Anti-Virus as "Trojan-Spy.Win32.SCKeyLog.au")

  %System%\secsrvrc.dll

  (15 360 bytes; detected by Kaspersky Anti-Virus as "Trojan-Spy.Win32.SCKeyLog.at") The files are created with the "hidden" and "system" attributes.
• It registers the extracted library in the system registry by creating the following keys:

  [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc]
  "DllName" = "secsrvrc.dll"
  "Asynchronous" = "0"
  "Impersonate" = "0"
  "Lock" = "WLELock"
  "Logoff" = "WLELogoff"
  "Logon" = "WLELogon"
  "Shutdown" = "WLEShutdown"
  "StartScreenSaver" = "WLEStartScreenSaver"
  "Startup" = "WLEStartup"
  "StopScreenSaver" = "WLEStopScreenSaver"
  "Unlock" = "WLEUnlock"
  

  The extracted "secsrvrc.dll" library is therefore automatically loaded into the address space of the "WINLOGON.EXE" process each time the system is restarted. In response to different events taking place in the system (user login, logout, etc) the Trojan will call the corresponding functions from the "secsrvrc.dll" library.
• To ensure that the previously extracted file "secsrvrc.exe" is launched automatically each time the system is rebooted, the following system registry key is created:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  "secsrvrc" = "%System%\secsrvrc.exe"
  

• It launches the file "secsrvrc.exe" for execution.

The Trojan then ceases running.

When running, the Trojan saves its log to the following file:

%Temp%\LogFile.Log

The content of this log is sent to the malicious user by email.

Once launched, the "secsrvrc.exe" process performs the following actions:

• If the infected computer is running Windows 9x, the Trojan hides its process using the undocumented function "RegisterServiceProcess".
• It calls the following functions from the "%System%\secsrvrc.dll" library:

  SetLOpt
  StartL
  

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the following system registry keys (see What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\secsrvrc]
   "DllName" = "secsrvrc.dll"
   "Asynchronous" = "0"
   "Impersonate" = "0"
   "Lock" = "WLELock"
   "Logoff" = "WLELogoff"
   "Logon" = "WLELogon"
   "Shutdown" = "WLEShutdown"
   "StartScreenSaver" = "WLEStartScreenSaver"
   "Startup" = "WLEStartup"
   "StopScreenSaver" = "WLEStopScreenSaver"
   "Unlock" = "WLEUnlock"
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "secsrvrc" = "%System%\secsrvrc.exe"
   

2. Reboot the computer.
3. Delete the following files:

   %System%\secsrvrc.exe 
   %System%\secsrvrc.dll 
   %Temp%\LogFile.Log