Win32.WinKeyLogger.C trojan.

[HippoDuck]

Hi,

I am testing a program called "eTrust EZ Antivirus" from CA, and now its realtime scanner found and logged this on my PC :

"2005/01/15 16:33:53.125 File infection: C:\System Volume Information\_restore{D79DAD9E-7D9F-4031-B899-C110FA32DCCC}\RP27\A0006815.dll is Win32.WinKeyLogger.C trojan. Deleted. "

I have made a purchase with a credit card this week, so now I got a bit nervous, as this is some kind of keylogge .

I updated the virus database and started the PC in safe mode. Made a full system scan, and it found nothing. Also run AdAware, that did not find "anything".

I checked if the file in system volume information was gone, and it was.

Now I can not find any more info about the keylogger.

My XP has done restore points every day, and no viruses was found there.

The virus was not found outside "System Volume Information" ?

I dont know how and when this keylogger has been installed on my pc, and I dont know if there is any way to find out either...

I installed this CA antivirus 2-3 days agoo, and it also has a firewall. (

Questions.

1) Is it safe to assume the infection has happend to day, as no other restore points seems to have this virus?

2) Is there a way to figure out the real name of the file "A0006815.dll" ?

3) Is it not strange the keylogger is not found outside "system volume information" ?

4) Is there some logs I can see from when this file was created on my disk?

5) If this program came on my PC today, how is it possible, as I have the firewall, all patches and virscan active ?

Any suggestions what else I shold / could do about this?

Thank you for Your time.

[nihil]

Well you can read about it here:

http://www3.ca.com/securityadvisor/v....aspx?id=40941

It seems to be a part of a bigger picture. I would guess that your previous AV/anti-malware dealt with the main problem.........might even have been prevented from loading, and this is a residual element. It does not seem to be able to do anything on its own.

For your own peace of mind, please go to the Trend Micro website and run "housecall", their online scanner.

I would also recommend SpyBot Search & Destroy, and Ewido..............if you don't buy it, the interactive protection of Ewido will expire, but you can still update and run the on demand scanner for free.

Another to look at is SwatIT (takes a long time)

Cheers

EDIT: and change your credit card online transaction password if you entered it.

You might also check your sent mail for anything unusual. Keep a close eye on your credit card account.

And don't use Internet Explorer

[littlenick]

Hi nihil

Some time back i created my personal keylogger in vc++ using familiar techniques of windows hooks.
I first thought that any antivirii will detect but after i finished i found out that norton and mcafee can't detect it.
then i downloaded trial version of advanced keylogger http://downloads.antionline.com/file/16308.htm and still atleast mcafee couldn't detect it.

Any idea why?

[nihil]

Hi littlenick,

What you have to bear in mind that a keylogger can be legitimate software...........you can buy them from reputable vendors, and they are used by SysAdmins as a security tool. For this reason a lot of them are not recognised as malware, unless they are known to be part of other malware, such as a worm, or trojan.

In other words, if the payload of malware includes a keylogger, you might expect that to be detected.

I also have several bits of software that log keystrokes and mouse movements to help generate interactive training courses. This software is not detected, as it is totally innocent.

There is specialist software that detects keyloggers, but don't expect it of your AV.

I hope that helps.

[littlenick]

I think i get the point any keylogger just logging key strokes and maintaining a Log file might not be considered as harmful by antivirii's but any key logger trying to send that log file to a mail address might be considered as a backdoor and also any ligitimate software trying to log your key strokes will be detected.

The key logger i developed was a simple one worked in background(simple vc++ programming)and maintained a file of keystrokes being pressed.
I guess that is why it was not detected by AV.

[nihil]

Yes that is how I understand it.

1. A local keylogger will most likely not be detected, other than by a specialist detector.
2. A remote keylogger might be caught by behavioural analysis in an AV product, but should certainly be caught by your firewall when it tries to "phone home"
3. Malware with a keylogger in the payload should be detected as malware by your AV