Prokeylogger
Threat LevelDamageDistribution

Effects 

Prokeylogger is a PUP (Potentially Unwanted Program) that carries out the following actions:

• When it is run, it displays the following images:
  
  
  
  
  
  
• It injects itself into the process iexplorer, in order to go unnoticed.
• It logs the keystrokes typed by the user.
• It obtains the passwords that have been entered in the computer.
• It captures screenshots.
• It can record these actions:
  - remote desktops.
  - remote webcams.
  - the clipboard
  - the email messages, chat conversations and instant messages.
  - the programs that have been run.
• The gathered information is stored in a log file, which is sent via email or FTP in RTF or HTML format.

Infection strategy 

Prokeylogger creates the following files in the subfolder @@@ of the Windows directory:

• START.EXE and WINLOG.EXE, which are copies of itself.
• TUE.JUL.25.20060.KLF, where the monitored data are stored.
  The filename is variable, as it corresponds to the data of the system. Additionally, it contains an error.
• UTILS.DLL, which has monitoring functions.

Prokeylogger creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Active Setup\ Installed Components\ {2bf41072-b2b1-21c1-b5c1-0305f4155515}
StubPath = %windir%\@@@\start.exe
where %windir% is the Windows directory.
By creating this entry, Prokeylogger ensures that it is run whenever Windows is started.

Further Details  

Prokeylogger is written in the programming language Delphi.