Spyware.SmartKeylogger

SUMMARY

Behavior

Spyware.SmartKeyLogger is a spyware program that monitors and records keystrokes, instant message conversations, ìnternet activity and applications used. Spyware.SmartKeyLogger also takes periodic screen shots and may be configured to transmit the recorded information via email.

Protection

• Initial Rapid Release version February 15, 2006
• Latest Rapid Release version June 14, 2008 revision 017
• Initial Daily Certified version February 15, 2006
• Latest Daily Certified version June 14, 2008 revision 016
• Initial Weekly Certified release date February 15, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

Spyware.SmartKeyLogger is a spyware program that monitors and records keystrokes, instant message conversations, ìnternet activity and applications used. Spyware.SmartKeyLogger also takes periodic screen shots and may be configured to transmit the recorded information via email.

Once executed, the risk creates the following files:
%USERPROFILE%\Desktop\Free Undetectable Keylogger.lnk
%USERPROFILE%\Desktop\Smart Keystroke Recorder Pro.lnk
%USERPROFILE%\Start Menu\Programs\Smart Keystroke Recorder\Buy Now!.lnk
%USERPROFILE%\Start Menu\Programs\Smart Keystroke Recorder\Free Undetectable Keylogger.lnk
%USERPROFILE%\Start Menu\Programs\Smart Keystroke Recorder\Smart Keystroke Recorder Pro.lnk
%USERPROFILE%\Start Menu\Programs\Smart Keystroke Recorder\Help.lnk
%USERPROFILE%\Start Menu\Programs\Smart Keystroke Recorder\Online Support.lnk
%USERPROFILE%\Start Menu\Programs\Smart Keystroke Recorder\Uninstall.lnk
%PROGRAMFILES%\Smart Keystroke Recorder\BrowserSniffer.dll
%PROGRAMFILES%\Smart Keystroke Recorder\EMailHelper.dll
%PROGRAMFILES%\Smart Keystroke Recorder\Hooks.dll
%PROGRAMFILES%\Smart Keystroke Recorder\LogService.exe
%PROGRAMFILES%\Smart Keystroke Recorder\order.url
%PROGRAMFILES%\Smart Keystroke Recorder\riched20.dll
%PROGRAMFILES%\Smart Keystroke Recorder\Settings.dat
%PROGRAMFILES%\Smart Keystroke Recorder\skr.exe
%PROGRAMFILES%\Smart Keystroke Recorder\skr.exe
%PROGRAMFILES%\Smart Keystroke Recorder\skr.log
%PROGRAMFILES%\Smart Keystroke Recorder\skr.log.ind
%PROGRAMFILES%\Smart Keystroke Recorder\sma.exe
%PROGRAMFILES%\Smart Keystroke Recorder\SmartKeystrokeRecorder.chm
%PROGRAMFILES%\Smart Keystroke Recorder\StopAll.exe
%PROGRAMFILES%\Smart Keystroke Recorder\support.url
%PROGRAMFILES%\Smart Keystroke Recorder\unins000.dat
%PROGRAMFILES%\Smart Keystroke Recorder\unins000.exe
%PROGRAMFILES%\Smart Keystroke Recorder\Warn.exe

It also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6ADE150-743D-11D4-8141-00E029626F6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6ADE143-743D-11D4-8141-00E029626F6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserSniffer.IESniffer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserSniffer.IESniffer.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6ADE150-743D-11D4-8141-00E029626F6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SmartKeystrokeRecorderAppId_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Smart Keystroke Recorder
HKEY_LOCAL_MACHINE\SOFTWARE\SmartSoft
HKEY_CURRENT_USER\SOFTWARE\SmartSoft

The risk then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"sma" = "C:\Program Files\Smart Keystroke Recorder\sma.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SKRSpyWarn" = "%ProgramFiles%\Smart Keystroke Recorder\Warn.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LogService" = "%ProgramFiles%\Smart Keystroke Recorder\LogService.exe "Smart Keystroke Recorder" "SOFTWARE\Smart Keystroke Recorder\AppSettings" "skr.log" "SOFTWARE\Smart Keystroke Recorder" "check_url" "develop_url""

The risk can be configured to monitor a variety of activities on the computer, including:
All keystrokes typed
Applications accessed (information recorded consists of application path and window title)
IM conversations (AOL, MSN, Yahoo, and ICQ sessions)
Screenshots of the desktop
All websites visited
All TCP/UDP network traffic (the information recorded consists of listing of source and destination IP addresses and ports used in communication)

Resource data used by the application is stored in the following folder (consist of GIF, JPG, HTM, and CSS files used in the application's GUI):
%PROGRAMFILES%\Smart Keystroke Recorder\html

In addition, logged information is stored locally on the computer. By default, this information is stored in the following folders:
%PROGRAMFILES%\Smart Keystroke Recorder\Data
%PROGRAMFILES%\Smart Keystroke Recorder\ScrShots

The risk can be configured to transmit all logged information via email to a preconfigured email address at specified time intervals (capture interval specified in minutes, configured at installation).