McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Keylog-WMSL

This page shows details and results of our analysis on the malware Keylog-WMSL

Threat Detail

Malware Type: Trojan

Malware Sub-type: Keylogger

Discovery Date: 2007-04-09

Next Steps:

Overview

Keylog-WMSL is a trojan written in Borland Delphi that claims to be a Microsoft Windows Management License Service file. It contains functionality to log keystrokes and post information to a remote website.

Virus definitions dated April 09th, 2007 or earlier detect this threat Generic PWS.b.


Minimum DAT

5005 (2007-04-10)

Updated DAT

5005 (2007-04-10)

 Minimum Engine

5.1.00

File Length

589,312 bytes

 Description Added

2007-04-09

Description Modified

2007-04-09

Malware Proliferation

Characteristics

Keylog-WMSL is a trojan written in Borland Delphi that claims to be a Microsoft Windows Management License Service file. It contains functionality to log keystrokes and post information to a remote website.

When installed as a service, Keylog-WMSL displays the following message:

"Path to executable\svchost.exe" /install

Adds the following values to the registry to start auto itself as a service when Windows starts.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMSLService
"ImagePath" = "Path to executable\svchost.exe"
"Start" = "2"

In a effort to conceal its malicious nature, it uses a Microsoft service name and description in an attempt to trick users into believing this is a legitimate service.

"DisplayName" = "Windows Management Licence Service"
"Description" = "Provides a common interface and object model to access licence information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly.If this service is disabled, any services that explicitly depend on it will fail to start."

Symptoms

Keylog-WMSL logs all keystrokes on the infected machine to a text file.

  • wtv32ax.inf  (located in the same folder as the trojan)

This text file contains logged keystrokes in the following format.

  • [Date - Time - Application Window Title]
  • Logged Keystrokes

Periodically it attempts to contact the following domains to post its captured data via HTTP.

  • http://1311.highzapp.co.uk
  • http://1311.go-loghi-go.ca
  • http://www.gminsidenews.com

Method of Infection

Keyloggers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or trojans to be installed on the user's system. Many of these use legitimate or enticing filename in order to trick people into executing them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

United States - English