Content
Keylog-Nosiam
- Type
- Trojan
- SubType
- Keylogger
- Discovery Date
- 02/19/2008
- Length
- varies
- Minimum DAT
- 5233 (02/19/2008)
- Updated DAT
- 5233 (02/19/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 02/19/2008
- Description Modified
- 03/25/2008 1:41 AM (PT)
Tab Navigation
Characteristics
On execution, this program copies itself into the %windir%\system32 folder.
This program creates a text file called "system32.txt" in the %windir%\system32 folder.
It then records the keystrokes into this file. The recorded key strokes are encrypted.
This trojan then connects to a remote server (uni[removed].com) to send the recorded keystrokes.
This trojan adds the following registry key to load itself at system startup.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "XP"
Data: %WINDIR%\SERVER
Symptoms
Presence of the above mentioned files and registry key.
Method of Infection
Keyloggers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Keylogger onto the user's system with no user interaction.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This detection is for a trojan that logs user keystrokes and sends it to a remote server.
Aliases
- Backdoor.Win32.VB.avi (Kaspersky)
- Backdoor:Win32/VB.ANT (Microsoft)
- W32/Nosiam.AVI!tr.bdr (Fortinet)
Characteristics
Characteristics -
On execution, this program copies itself into the %windir%\system32 folder.
This program creates a text file called "system32.txt" in the %windir%\system32 folder.
It then records the keystrokes into this file. The recorded key strokes are encrypted.
This trojan then connects to a remote server (uni[removed].com) to send the recorded keystrokes.
This trojan adds the following registry key to load itself at system startup.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "XP"
Data: %WINDIR%\SERVER
Symptoms
Symptoms -
Presence of the above mentioned files and registry key.
Method of Infection
Method of Infection -
Keyloggers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Keylogger onto the user's system with no user interaction.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
