Spyware.TypeRecorder

Spyware.TypeRecorder

Updated:
29 March 2006
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

Spyware.TypeRecorder is a spyware program that runs in the background, silently recording keystrokes.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 23 March 2017 revision 037
  • Initial Daily Certified version 29 March 2006
  • Latest Daily Certified version 23 March 2017 revision 041
  • Initial Weekly Certified release date 29 March 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.TypeRecorder is a spyware program that runs in the background, silently recording keystrokes.

When the risk is installed, it creates the following files:
%ProgramFiles%\TypeRecorder\icr.dll
%ProgramFiles%\TypeRecorder\TRKbd.dll
%ProgramFiles%\TypeRecorder\TypeRec.exe
%ProgramFiles%\TypeRecorder\TypeRecorder.lnk

Then it creates the following folder:
%ProgramFiles%\TypeRecorder\

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\DataString
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\FT
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\HotKey
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\HotKeyModifiers
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\KeepLogDays %HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\LogsPath
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\RunHidden
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\StartMenuPath
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\UserName
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\UserSerialNumber

Next the risk creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"TypeRecorderL" = "%ProgramFiles%\TypeRecorderTypeRec.exe"

The risk then runs in the background silently recording keystrokes.
Writeup By: Diarmaid Roche