McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

The entry for "Keylog-Razytimer" was added to cover for a malicious file called "MSHTML.EXE". The binary file is of 32 bit PE file format and has a filesize of 624.642 bytes (decimal). The file is made using Borland Delphi and is not compressed internally.

Note that while a specific entry for the Keylog-Razytimer trojan will be added to the Dat-4246, it's detected heuristically with for example the current released Dat-4245 as New backdoor2, this is a generic detection.

When run, the file copies itself to the %windows\%system directory and makes a registry entry to load itself automatically at system start.

For example on a Windows9X/ME based system: HKLM\Software\Mirosoft\Windows\CurrentVersion\Run\ "c:\windows\system\mshtml.exe"

To make the file less suspicious, the chosen name (mshtml.exe) is very close to regular system files like mshtml.dll.

The trojan is a so called keylogger, it attempts to retrieve user credentials like logon names and password, like for example information about:
-Instant Messaging
-AOL
-winzip
-Internet Explorer startpage
-PowerDVD
-IP address

Above information is gathered and together with a .jpg screenshot of the victim's user system can be transferred to a website. If the Serverlogger accepts the connection and the transfer is completed it disconnects the client connection.
The serverport in use is: 11831
The transferport is: 29559

Symptoms

-Presence of malicious mshtml.exe in the %windows\%system directory

Registry entry under ..\currenversion\run, example on win9x: HKLM\Software\Mirosoft\Windows\CurrentVersion\Run\ "c:\windows\system\mshtml.exe"

-Strange connection on ports 11831 (server) and 29559 (client).

Method of Infection

Manually running the malicious file initializes the keylogging.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

The entry for "Keylog-Razytimer" was added to cover for a malicious file called "MSHTML.EXE". The binary file is of 32 bit PE file format and has a filesize of 624.642 bytes (decimal). The file is made using Borland Delphi and is not compressed internally.

Note that while a specific entry for the Keylog-Razytimer trojan will be added to the Dat-4246, it's detected heuristically with for example the current released Dat-4245 as New backdoor2, this is a generic detection.

When run, the file copies itself to the %windows\%system directory and makes a registry entry to load itself automatically at system start.

For example on a Windows9X/ME based system: HKLM\Software\Mirosoft\Windows\CurrentVersion\Run\ "c:\windows\system\mshtml.exe"

To make the file less suspicious, the chosen name (mshtml.exe) is very close to regular system files like mshtml.dll.

The trojan is a so called keylogger, it attempts to retrieve user credentials like logon names and password, like for example information about:
-Instant Messaging
-AOL
-winzip
-Internet Explorer startpage
-PowerDVD
-IP address

Above information is gathered and together with a .jpg screenshot of the victim's user system can be transferred to a website. If the Serverlogger accepts the connection and the transfer is completed it disconnects the client connection.
The serverport in use is: 11831
The transferport is: 29559

Symptoms

Symptoms -

-Presence of malicious mshtml.exe in the %windows\%system directory

Registry entry under ..\currenversion\run, example on win9x: HKLM\Software\Mirosoft\Windows\CurrentVersion\Run\ "c:\windows\system\mshtml.exe"

-Strange connection on ports 11831 (server) and 29559 (client).

Method of Infection

Method of Infection -

Manually running the malicious file initializes the keylogging.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A