Effects Prokeylogger is a PUP (Potentially Unwanted Program) that carries out the following actions: - When it is run, it displays the following images:
 - It injects itself into the process iexplorer, in order to go unnoticed.
- It logs the keystrokes typed by the user.
- It obtains the passwords that have been entered in the computer.
- It captures screenshots.
- It can record these actions:
- remote desktops.
- remote webcams.
- the clipboard
- the email messages, chat conversations and instant messages.
- the programs that have been run. - The gathered information is stored in a log file, which is sent via email or FTP in RTF or HTML format.
Infection strategy Prokeylogger creates the following files in the subfolder @@@ of the Windows directory: - START.EXE and WINLOG.EXE, which are copies of itself.
- TUE.JUL.25.20060.KLF, where the monitored data are stored.
The filename is variable, as it corresponds to the data of the system. Additionally, it contains an error. - UTILS.DLL, which has monitoring functions.
Prokeylogger creates the following entry in the Windows Registry: HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Active Setup\ Installed Components\ {2bf41072-b2b1-21c1-b5c1-0305f4155515}
StubPath = %windir%\@@@\start.exe
where %windir% is the Windows directory.
By creating this entry, Prokeylogger ensures that it is run whenever Windows is started. Further Details Prokeylogger is written in the programming language Delphi. |