Spyware.TypeRecorder

SUMMARY

Behavior

Spyware.TypeRecorder is a spyware program that runs in the background, silently recording keystrokes.

Protection

• Initial Rapid Release version March 29, 2006
• Latest Rapid Release version June 14, 2008 revision 017
• Initial Daily Certified version March 29, 2006
• Latest Daily Certified version June 14, 2008 revision 016
• Initial Weekly Certified release date March 29, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

Spyware.TypeRecorder is a spyware program that runs in the background, silently recording keystrokes.

When the risk is installed, it creates the following files:
%ProgramFiles%\TypeRecorder\icr.dll
%ProgramFiles%\TypeRecorder\TRKbd.dll
%ProgramFiles%\TypeRecorder\TypeRec.exe
%ProgramFiles%\TypeRecorder\TypeRecorder.lnk

Then it creates the following folder:
%ProgramFiles%\TypeRecorder\

The risk then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\DataString
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\FT
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\HotKey
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\HotKeyModifiers
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\KeepLogDays %HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\LogsPath
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\RunHidden
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\StartMenuPath
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\UserName
HKEY_LOCAL_MACHINE\Software\Rampell\TypeRecorderL\UserSerialNumber

Next the risk creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"TypeRecorderL" = "%ProgramFiles%\TypeRecorderTypeRec.exe"

The risk then runs in the background silently recording keystrokes.