Content

Keylog-Ezik

Type
Trojan
SubType
Keylogger
Discovery Date
07/26/2006
Length
varies
Minimum DAT
4815 (07/26/2006)
Updated DAT
4988 (03/20/2007)
Minimum Engine
5.1.00
Description Added
07/26/2006
Description Modified
07/27/2006 3:34 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the trojan drops the following files.

  • %WINDIR%\svchst.exe
  • %WINDIR%\svchst17.dll

Following registry keys are added.

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \svchst="%WINDIR%\svchst.exe"
  • hkey_local_machine\software\ezhik\launchtime="(date and time)"
  • hkey_local_machine\software\ezhik\clientid="(digits)"

The trojan injects the dll file as remote threads into the processes explorer.exe and iexplore.exe Then it monitors every keystroke typed and sends the log to the following remote host.

  • 217.199.[removed] port:80

Symptoms

  • existence of mentioned file(s) and registry keys
  • tcp connections to the mentioned remote host

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This trojan is designed to logs every keystroke typed and sends the log to the remote site.

Aliases

  • Backdoor.Win32.Agent.aec (Kaspersky)
  • bck/ezhik.a (Panda)
  • BKDR_AGENT.CZI (Trend Micro)
  • Trojan.Keylogger.AU (BitDefender)

Characteristics

Characteristics -

Upon execution, the trojan drops the following files.

  • %WINDIR%\svchst.exe
  • %WINDIR%\svchst17.dll

Following registry keys are added.

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \svchst="%WINDIR%\svchst.exe"
  • hkey_local_machine\software\ezhik\launchtime="(date and time)"
  • hkey_local_machine\software\ezhik\clientid="(digits)"

The trojan injects the dll file as remote threads into the processes explorer.exe and iexplore.exe Then it monitors every keystroke typed and sends the log to the following remote host.

  • 217.199.[removed] port:80

Symptoms

Symptoms -

  • existence of mentioned file(s) and registry keys
  • tcp connections to the mentioned remote host

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A