Content

Keylog-Stawin

Type
Trojan
SubType
Win32
Discovery Date
12/01/2003
Length
3-6kB (exe)
3-5kB (dll)
Minimum DAT
4307 (12/03/2003)
Updated DAT
4397 (10/06/2004)
Minimum Engine
5.1.00
Description Added
01/28/2004
Description Modified
04/08/2004 12:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--Update 8th April, 2004 13:00 PST
 This description has been updated to cover more variants of Keylog-Stawin which have been spammed out.
--
This generic detection is regularly updated by AVERT for multiple keylogging trojans of this family, many of which are known to have been spammed to users. Users are recommended to use the latest engine/DATs combination for optimal detection.

The description below is of one of the many variants included under this detection name.
--
The trojan is intended to log data from user sessions associated with banking transactions. Data entered into windows with any of the following strings in the title is logged (please note: the particular window strings vary from version to version):

  • Westpac
  • ANZ
  • Logon
  • Access
  • bendigo
  • Bendigo
  • e-bendigo
  • e-Bendigo
  • commbank
  • Commonwealth
  • NetBank
  • Citibank
  • e-gold
  • e-bullion
  • e-Bullion
  • evocash
  • EVOCash
  • EVOcash
  • intgold
  • INTGold
  • paypal
  • PayPal
  • bankwest
  • Bank West
  • BankWest
  • National
  • cibc
  • CIBC
  • scotiabank
  • ScotiaBank
  • Scotia Bank
  • bmo
  • BMO
  • bank of montreal
  • Bank of Montreal
  • royalbank
  • Royal Bank
  • RoyalBank
  • tdcanadatrust
  • TD Canada Trust
  • TDCanadaTrust
  • president's choice
  • President's Choice
  • President Choice
  • suncorpmetway
  • Suncorp
  • macquarie
  • Macquarie
  • INTgold
  • 1mdc
  • 1MDC
  • bank
  • Bank
  • goldmoney
  • GoldMoney
  • goldgrams
  • pecunix
  • Pecunix
  • Pecun!x
  • hyperwallet
  • HyperWallet

Logged data is written to %WinDir%:

  • %WinDir%\KGN.TXT (Note: this file name varies between versions)

Logged data is then sent via SMTP to the hacker. An IP address hard-coded in the trojan is used for the SMTP server:

  • 194.67.23.10 (note: this is used for just one of the variants)

The email sent is constructed as follows:

From: govnodav2004@mail.ru
To: govnodav2004@mail.ru
Subject: Keylog from ([machine name])
Body:
[window title]
------------------------ [logged data]

The KGN.TXT keylog file is deleted once mail is sent.

Symptoms

  • Existence of the files and or Registry keys detailed in the Method of Infection section

Method of Infection

As detailed above. Many variants are known to have been spammed to users. However, it may also be received through one of the other common channels trojans are distributed, for example:

  • via HTTP download
  • via IRC channels
  • via P2P file sharing network

When executed the trojan copies itself into %WinDir% on the victim machine:

  • %WinDir%\MESSAGE.EXE (note: filename may vary)

It drops a keyboard hooking DLL into %WinDir% as well:

  • %WinDir%\HOOKERDLL.DLL

The following Registry key is set to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "OLE" = %WinDir%\ (refers to the file dropped above)

The process can be view in the Windows task manager.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Keylog-Stawin.dll
  • PWSteal.Tarno.D (Symantec)
  • Troj/Banker-H (Sophos)
  • TrojanSpy.Win32.Keylogger.aa (AVP)

Characteristics

Characteristics -

--Update 8th April, 2004 13:00 PST
 This description has been updated to cover more variants of Keylog-Stawin which have been spammed out.
--
This generic detection is regularly updated by AVERT for multiple keylogging trojans of this family, many of which are known to have been spammed to users. Users are recommended to use the latest engine/DATs combination for optimal detection.

The description below is of one of the many variants included under this detection name.
--
The trojan is intended to log data from user sessions associated with banking transactions. Data entered into windows with any of the following strings in the title is logged (please note: the particular window strings vary from version to version):

  • Westpac
  • ANZ
  • Logon
  • Access
  • bendigo
  • Bendigo
  • e-bendigo
  • e-Bendigo
  • commbank
  • Commonwealth
  • NetBank
  • Citibank
  • e-gold
  • e-bullion
  • e-Bullion
  • evocash
  • EVOCash
  • EVOcash
  • intgold
  • INTGold
  • paypal
  • PayPal
  • bankwest
  • Bank West
  • BankWest
  • National
  • cibc
  • CIBC
  • scotiabank
  • ScotiaBank
  • Scotia Bank
  • bmo
  • BMO
  • bank of montreal
  • Bank of Montreal
  • royalbank
  • Royal Bank
  • RoyalBank
  • tdcanadatrust
  • TD Canada Trust
  • TDCanadaTrust
  • president's choice
  • President's Choice
  • President Choice
  • suncorpmetway
  • Suncorp
  • macquarie
  • Macquarie
  • INTgold
  • 1mdc
  • 1MDC
  • bank
  • Bank
  • goldmoney
  • GoldMoney
  • goldgrams
  • pecunix
  • Pecunix
  • Pecun!x
  • hyperwallet
  • HyperWallet

Logged data is written to %WinDir%:

  • %WinDir%\KGN.TXT (Note: this file name varies between versions)

Logged data is then sent via SMTP to the hacker. An IP address hard-coded in the trojan is used for the SMTP server:

  • 194.67.23.10 (note: this is used for just one of the variants)

The email sent is constructed as follows:

From: govnodav2004@mail.ru
To: govnodav2004@mail.ru
Subject: Keylog from ([machine name])
Body:
[window title]
------------------------ [logged data]

The KGN.TXT keylog file is deleted once mail is sent.

Symptoms

Symptoms -

  • Existence of the files and or Registry keys detailed in the Method of Infection section

Method of Infection

Method of Infection -

As detailed above. Many variants are known to have been spammed to users. However, it may also be received through one of the other common channels trojans are distributed, for example:

  • via HTTP download
  • via IRC channels
  • via P2P file sharing network

When executed the trojan copies itself into %WinDir% on the victim machine:

  • %WinDir%\MESSAGE.EXE (note: filename may vary)

It drops a keyboard hooking DLL into %WinDir% as well:

  • %WinDir%\HOOKERDLL.DLL

The following Registry key is set to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "OLE" = %WinDir%\ (refers to the file dropped above)

The process can be view in the Windows task manager.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A