Spyware.KeySpyware

Spyware.KeySpyware

Updated:
23 March 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Spyware.KeySpyware is a spyware program that logs keystrokes and monitors user activity on the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 19 October 2016 revision 006
  • Initial Daily Certified version 23 March 2006
  • Latest Daily Certified version 20 October 2016 revision 001
  • Initial Weekly Certified release date 29 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.KeySpyware is a spyware program that logs keystrokes and monitors user activity on the compromised computer.

Once the risk is installed, it creates the following files:
C:\Program Files\Key Spyware\help.htm
C:\Program Files\Key Spyware\HOMEPAGE.HTM
C:\Program Files\Key Spyware\Readme.txt
C:\Program Files\Key Spyware\screen1.gif
C:\Program Files\Key Spyware\uninstall.exe
C:\Program Files\Key Spyware\pc[NUMBER].jpg
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\emaillog.txt
C:\WINDOWS\ftplog.txt
C:\WINDOWS\k183swneformat.dll
C:\WINDOWS\k183swneformat.ocx
C:\WINDOWS\SYSTEM\ksepyy.zhy
C:\WINDOWS\SYSTEM\mskbdr.dll
%UserProfile%\Start Menu\Programs\Key Spyware\Key Spyware Help.lnk
%UserProfile%\Start Menu\Programs\Key Spyware\Key Spyware Readme.lnk
%UserProfile%\Start Menu\Programs\Key Spyware\Key Spyware.lnk
%UserProfile%\Start Menu\Programs\Key Spyware\Uninstall.lnk

The risk then creates the following folders:
C:\Program Files\Key Spyware
%UserProfile%\Start Menu\Programs\Key Spyware

Next, the risk creates the following registry entries,so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Run\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Audiodev" = "C:\WINDOWS\SVCHOST.exe Audiodev"

The risk also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\XTZY\KeySpy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KeySpy

The risk then logs keystrokes and monitors user activity on the compromised computer.
Writeup By: softboy