ThreatExpert Report: Application.Elite_Keylogger, Spyware.EliteKeylogger..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 November 2008, 15:43:23
Processing time: 6 min 55 sec
Submitted sample:

File MD5: 0xC05D7BE80FAC4166BCBB7D3D7729D425
File SHA-1: 0x6AB4CD74AFACBBBA764AC5EE1948972F96AB416A
Filesize: 3,866,347 bytes
Alias:

Application.Elite_Keylogger [PCTools]
Spyware.EliteKeylogger [Symantec]
not-a-virus:Monitor.Win32.EliteKeylogger.21 [Kaspersky Lab]
Virus.Win32.Spyware [Ikarus]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Spyware.EliteKeylogger!sd5	Spyware.EliteKeylogger!sd5 is a spyware program that monitors internet activity and users browsing habits.
Application.Elite_Keylogger	Elite Keylogger is a monitoring software from 'Widestep Keyloggers Software'. It runs in stealth mode and captures all keystrokes (i.e. everything that is typed), including information about all applications used, all conversations, emails, websites visited, clipboard data etc. It can take snapshots of the system at regular time intervals. It has the ability to save the log files in encrypted format and send them to the email address specified by the person who installed it. Removal of this software is advisable if not installed for a purpose.

Attention! The following threat category was identified:

Threat Category	Description
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\gdisvr.exe	2,224,128 bytes	MD5: 0x1CCBCF8EE2EBFF7A0BC2B0B703D8731A SHA-1: 0x4B05567225CBB85310D30379CE3167AF88713AB2	Spyware.EliteKeylogger!sd5 [PCTools] Spyware.EliteKeylogger [Symantec] Trojan-Dropper.Win32.VB.ts [Ikarus] packed with Armadillo [Kaspersky Lab]
2	%System%\hgfsnt.sys	16,896 bytes	MD5: 0x95FED28113B2B8BD0E915D7E820F23DE SHA-1: 0xED78B1B40FC32555BBA8EF53B200CB1F566FD772	Spyware.EliteKeylogger!sd5 [PCTools] Spyware.EliteKeylogger [Symantec] not-a-virus:Monitor.Win32.EliteKeylogger.30 [Kaspersky Lab] Keylog-Elt [McAfee] not-a-virus:Monitor.Win32.EliteKeylogger.30 [Ikarus]
3	%System%\kbdn32.dll	118,784 bytes	MD5: 0xB5EA5AA8945CEDD1C7517EB3079EE82E SHA-1: 0x18EC901025DCDADA6AA300061E073B127589529A	Spyware.EliteKeylogger!sd5 [PCTools] Spyware.EliteKeylogger [Symantec] not-a-virus:Monitor.Win32.EliteKeylogger.a [Kaspersky Lab] Virus.Win32.Agent.TBL [Ikarus]
4	%System%\netbex.sys	20,480 bytes	MD5: 0xE29ED26DD319B791D327930B9E10F675 SHA-1: 0x5D64D3F21C5AF132353777090120C81110576CC2	Spyware.EliteKeylogger!sd5 [PCTools] Spyware.EliteKeylogger [Symantec]
5	%System%\nikedr2k.sys	462,080 bytes	MD5: 0xEB4966F42C15186828E12951C6231125 SHA-1: 0xD8E2E5899D125A6D93799473885EFA5B1D487E30	Spyware.EliteKeylogger!sd5 [PCTools] Spyware.EliteKeylogger [Symantec] not-a-virus:Monitor.Win32.EliteKeylogger.21 [Kaspersky Lab] not-a-virus:Monitor.Win32.EliteKeylogger.21 [Ikarus]
6	[file and pathname of the sample #1]	3,866,347 bytes	MD5: 0xC05D7BE80FAC4166BCBB7D3D7729D425 SHA-1: 0x6AB4CD74AFACBBBA764AC5EE1948972F96AB416A	Application.Elite_Keylogger [PCTools] Spyware.EliteKeylogger [Symantec] not-a-virus:Monitor.Win32.EliteKeylogger.a, not-a-virus:Monitor.Win32.EliteKeylogger.21, not-a-virus:Monitor.Win32.EliteKeylogger.30 [Kaspersky Lab] Virus.Win32.Spyware [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
gdisvr.exe	%System%\gdisvr.exe	6,385,664 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	3,895,296 bytes

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]

{R7C0DB872A3F777C0} = 4A 8D 7D 4C
{K7C0DB872A3F777C0} = 33 14 0E 00 FB 0D 1F FF FF FF FF 69 EB 67 03 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F

Other details

To mark the presence in the system, the following Mutex objects were created:

5D4:DAF
RAL230C60D0
230C60D0::WK
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
5D4::DA10FF4CEE
DILLOCREATE
DILLOOEP
DBWinMutex
5EC:DAF
5EC::DA10FF4CEE

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.