Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory

W32.KeyLogger.Refog.A


Severity:	Medium
Type:	Key Logger
Date Published:	07/16/2008
Size:	5,331,222 bytes
Operating System Affected:	Windows 2000, Windows Server 2003, Windows XP

Synopsis

W32.KeyLogger.Refog.A is a commercial spyware program. It logs keystrokes, Web sites visited, and clipboard activity. It also has a screen capture logger and can be run automatically in a silent, undetectable mode.

This spyware can use FTP or email to send all the logs to a remote server or email address.

Threat Analysis

W32.KeyLogger.Refog.A performs following activities when executed on the victim machine:

1. Upon execution, it copies itself to the Windows system directory as <Win_Dir>\system32\MPK\MPK.exe

Adds the following registry key values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Mpk.exe" = Mpk.exe

Thus, it gets executed every time the Windows starts.

2. It does the DNS query to www.refog.com and then sends information about the language and type of installer installed on victim.

3. GUI of W32.KeyLogger.Refog.A looks like following:

4. W32.KeyLogger.Refog.A sends all the logs to a remote server or email address. Email send by W32.KeyLogger.Refog.A looks like as follows:

5. W32.KeyLogger.Refog.A also captures screen shots of the various running windows. Screen shots looks like following:

Above mentioned analysis has been performed on the free trial version of W32.KeyLogger.Refog.A.

References

http://vil.nai.com/vil/content/v_130318.htm

Write-up by: Anupam Kumar

Security Sites

“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”

Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner

| | | | | | | | |