TSPY_KEYLOG.WD
VirTool:Win32/VBInject (Microsoft)
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It adds registry entries to enable its automatic execution at every system startup.
TECHNICAL DETAILS
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following component file(s):
- %System%\cmd
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %System%\cmd.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
cmd.exe = %system%\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9DAC0E14-E446-4251-A277-D863A87E229A}
StubPath = %system%\cmd.exe
Other System Modifications
This spyware adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9DAC0E14-E446-4251-A277-D863A87E229A}
NOTES:
It deletes the legitimate file %System%\cmd.exe and replaces it with its copy named as %system%\cmd.exe.