TSPY_KEYLOG.YYMD
Windows
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies the Internet Explorer Zone Settings.
TECHNICAL DETAILS
184,320 bytes
EXE
28 May 2015
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following files:
- %TEMP%\YahooMessenger.exe
Autostart Technique
This spyware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:
- %User Profile%\Start Menu\Programs\Startup\hardisk.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
%User Profile%\Start Menu\Programs\
Startup\Settimess
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
%User Profile%\Start Menu\Programs\
Startup\Timesx
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
%User Profile%\Start Menu\Programs\
Startup\htt
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
%User Profile%\Start Menu\Programs\
Startup\logs
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
%User Profile%\Start Menu\Programs\
Startup\mulk
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
%User Profile%\Start Menu\Programs\
Startup\subb
Web Browser Home Page and Search Page Modification
This spyware modifies the Internet Explorer Zone Settings.
Other Details
This spyware connects to the following possibly malicious URL:
- http://{BLOCKED}sstecho.com/achabai.txt
- http://{BLOCKED}hai.com/bai.php
- http://www.{BLOCKED}r.ru/proxy/proxychecker/country.htm