Spyware.BlackLog

Spyware.BlackLog

Updated:
13 April 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Spyware.BlackLog is a spyware program that monitors user activity, logs keystrokes, and tracks Web sites visited.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 02 October 2014 revision 022
  • Initial Daily Certified version 12 April 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 12 April 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.BlackLog is a spyware program that monitors user activity, logs keystrokes, and tracks Web sites visited.

Once Spyware.BlackLog is installed, it creates the following files:
%UserProfile%\Desktop\BlackLog Full.lnk
%UserProfile%\Start Menu\Programs\BlackLog Software\BlackLog Full\BlackLog Full.lnk
%UserProfile%\Start Menu\Programs\BlackLog Software\BlackLog Full\BlackLog.com.url
%UserProfile%\Start Menu\Programs\BlackLog Software\BlackLog Full\Readme-Help.lnk
%ProgramFiles%\BL\BL.exe
%ProgramFiles%\BL\BlackLog.com.url
%ProgramFiles%\BL\EventScheduler.mdb
%ProgramFiles%\BL\Help.rtf
%ProgramFiles%\BL\riched32.dll
%Windir%\Installer\[RANDOM].msi

The risk creates the following legitimate files:
%System%\actskn43.ocx
%System%\dijpg.dll
%System%\richtx32.ocx
%System%\skinboxer43.dll
%System%\comdlg32.ocx
%System%\mscomct2.ocx
%System%\mscomctl.ocx
%System%\mswinsck.ocx
%System%\Memman.ocx

The risk also creates the following folders:
%ProgramFiles%\BL.
%UserProfile%\Start Menu\Programs\BlackLog Software
%UserProfile%\Application Data\Microsoft\Installer\{973F4371-0183-440A-9ECB-55C58BD3A45C}

It then creates numerous files, with the file name [RANDOM].exe, in the %UserProfile%\Application Data\Microsoft\Installer\{973F4371-0183-440A-9ECB-55C58BD3A45C} folder.

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\76CAAD08DB266C44986C32FD99020DBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{973F4371-0183-440A-9ECB-55C58BD3A45C}
HKEY_ALL_USERS\Software\Microsoft\Installer\Features\1734F3793810A044E9BC555CB83D4AC5
HKEY_ALL_USERS\Software\Microsoft\Installer\Products\1734F3793810A044E9BC555CB83D4AC5
HKEY_ALL_USERS\Software\Microsoft\Installer\UpgradeCodes\76CAAD08DB266C44986C32FD99020DBE
HKEY_ALL_USERS\Software\VB and VBA Program Settings\BlackLog

The risk creates numerous legitimate registry subkeys associated with the non-malicious components mentioned above that are installed by the risk.

Next, the risk creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%UserProfile%\Start Menu\Programs\BlackLog Software\BlackLog Full\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%UserProfile%\Start Menu\Programs\BlackLog Software\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%UserProfile%\Application Data\Microsoft\Installer\{973F4371-0183-440A-9ECB-55C58BD3A45C}" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%UserProfile%\Application Data\Microsoft\Installer\" = ""

The risk then monitors user activity on the compromised computer, logs keystrokes, and Web sites visited.