Gen.Variant.Graftor.8567_8c74ed1009

by malwarelabrobot on October 20th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.8567 (B) (Emsisoft), Gen:Variant.Graftor.8567 (AdAware), Monitor.Win32.PerfectKeylogger.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Keylogger, Trojan, Worm, EmailWorm, Monitor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 8c74ed1009dba0d95c7ef536f262490c
SHA1: a12ea18acd39811eb61fd69be9390bcfa2037be1
SHA256: cce2d9f723f34785b99261a0f234e848380e348a0e59213bd1ce8c2e85f47ff6
SSDeep: 12288:tXVSvROInPW7C2aATg9gJNlF 31uLZhDkbq1cRBD32LMNHtZhUERcZ:3SvMIP lN867CQdhDkGSfD4gNZ5uZ
Size: 523596 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-11-23 04:52:54
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Keylogger. Tracking software that records keyboard and/or mouse activity. Keyloggers typically either store the recorded keystrokes for later retrieval or they transmit them to the remote process or person employing the keylogger. While there are some legitimate uses of keyloggers, but they are often used maliciously by attackers to surreptitiously track behavior to perform unwanted or unauthorized actions included but not limited to identity theft.

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

fghEE.tmp:588
%original file name%.exe:368
brm.exe:1648
6r4EF.tmp:516
NOTEPAD.EXE:276
fgbED.tmp:460
rinst.exe:424

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fghEE.tmp:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\explorer.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6r4EF.tmp (35 bytes)

The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fghEE.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fgbED.tmp (601 bytes)

The process brm.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\pk.bin (6 bytes)
%System%\keystrokes.html (25 bytes)
%System%\bpk.dat (132 bytes)

The Trojan deletes the following file(s):

%System%\keystrokes.html (0 bytes)
%System%\bpk.dat (0 bytes)

The process fgbED.tmp:460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S47KLT1Q\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ISK6R7LJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFQDXZ8E\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HFCXWLKM\desktop.ini (67 bytes)

The process rinst.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\rinst.exe (7 bytes)
%System%\brmhk.dll (8 bytes)
%System%\pk.bin (3 bytes)
%System%\inst.dat (996 bytes)
%System%\brm.exe (13584 bytes)
%System%\brmwb.dll (1552 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\brmwb.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\brmhk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\brm.exe (0 bytes)

Registry activity

The process fghEE.tmp:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 87 CA 5C 48 D2 DB 6B AF A7 67 57 70 26 F9 EF"

The process brm.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID]
"(Default)" = "PK.IE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\PK.IE\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IViewSource"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0]
"(Default)" = "BPK IE Plugin Type Library"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID]
"(Default)" = "PK.IE.1"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PK.IE.1\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32]
"(Default)" = "%System%\brmwb.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\PK.IE.1]
"(Default)" = "IE Plugin Class"

[HKCR\PK.IE]
"(Default)" = "IE Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32]
"(Default)" = "%System%\brmwb.dll"
"ThreadingModel" = "Apartment"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 5D 96 6B 32 4B FA 50 44 70 17 50 6E B5 EC DF"

[HKCR\PK.IE\CurVer]
"(Default)" = "PK.IE.1"

[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IE Plugin Class"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Brm" = "%System%\brm.exe"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "PK IE Plugin"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 6r4EF.tmp:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c!"

The process NOTEPAD.EXE:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 78 9E 2F E1 F3 06 C8 38 7C E8 CE 79 4C 40 99"

The process fgbED.tmp:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rinst.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 FE 15 31 18 7D 57 69 9B 82 13 43 FF 78 49 FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"NOTEPAD.EXE" = "Notepad"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Dropped PE files

MD5	File path
6952846751ca9499279a23ffc0d025c8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6r4EF.tmp
017b91892804c1f8731a7e6d79edef98	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\explorer.exe
f2539500eef046fe8f32f0906b815dc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\fgbED.tmp
e94857475e7c53fe9d636c6b40b3b2c9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\fghEE.tmp
18bc32bb8a8d5a85cdafad5a4ecc4c73	c:\WINDOWS\system32\brm.exe
a51cd9899672b880685b216c4fa9b099	c:\WINDOWS\system32\brmhk.dll
a09df00f1dee720c69dd28459b5c764c	c:\WINDOWS\system32\brmr.exe
1a552164764b4c75b78202e32cc8821e	c:\WINDOWS\system32\brmwb.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	29316	29696	4.56295	e40f16ee88af6cbae54d1ff820462d7b
.rdata	36864	10720	10752	3.48251	3a18fe5dc5306038fb976b8fdb02a855
.data	49152	10048	3584	1.77532	ac27bd9d779907076480ab6589b38da8
.rsrc	61440	35276	35328	4.37945	b43073526c4200beb08b7e46936ffc61
.reloc	98304	4290	4608	2.63744	e1b29c7837ffc8dc8ef906116481b909

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

NOTEPAD.EXE_276:

.text

`.data

.rsrc

comdlg32.dll

SHELL32.dll

WINSPOOL.DRV

COMCTL32.dll

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

notepad.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

notepad.pdb

t%SSh

_acmdln

RegCloseKey

RegCreateKeyW

RegOpenKeyExA

SetViewportExtEx

GetKeyboardLayout

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

&*$#$$#$*

MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM

*.txt

/.SETUP

Text Documents (*.txt)

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\Install.txt

5.1.2600.5512 (xpsp.080413-2105)

NOTEPAD.EXE

Windows

Operating System

5.1.2600.5512

notepad.hlp

You cannot quit Windows because the Save As dialog

dialog box, and then try quitting Windows again.

Common Dialog error (0xx)

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not a valid file name.MCannot create the %% file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Page %d

Ln %d, Col %d

brm.exe_1648:

.text

`.rdata

@.data

.rsrc

SSSSh

YSSSh4

ujSSh

tn9.uc

tq9.uf

!"#$%&'()* ,-./012

!"#$%&'()* ,-./012345678

kw.dat

mc.dat

$#$#$#$#$#$#$#$#$#$#$#$#$#$

Software\Blazing Tools\Perfect Keylogger\1.2

readme.txt

inst.dat

rinst.exe

pk.bin

inst.bin

inst.tmp

bpk.dat

web.dat

bpkch.dat

keystrokes.html

websites.html

chats.html

bpk.chm

apps.dat

titles.dat

temporary.bmp

th_temp.bmp

report.txt

hXXp://VVV.blazingtools.com/updates/bpk.dat

update.tmp

install.log

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

FtpPutFileA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

WININET.dll

MFC42.DLL

MSVCRT.dll

_acmdln

KERNEL32.dll

EnumChildWindows

GetKeyNameTextA

MapVirtualKeyA

MapVirtualKeyExA

GetKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutList

RegisterHotKey

UnregisterHotKey

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegCreateKeyA

RegOpenKeyExA

RegDeleteKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

COMCTL32.dll

ole32.dll

OLEAUT32.dll

URLDownloadToFileA

urlmon.dll

WSOCK32.dll

RPCRT4.dll

DNSAPI.dll

.PAVCFileException@@

.PAVCException@@

.PAVCObject@@

0xx %d

%u 0xx

%d %d

%d %d %d

Ss=%d, Se=%d, Ah=%d, Al=%d

%d: dc=%d ac=%d

%d: %dhx%dv q=%d

0xx: %u, %u, =%d

RST%d

0xx, %d

to %d

%d = %d*%d*%d

%4u %4u %4u %4u %4u %4u %4u %4u

0xx, length %u

%d x %d

%d.d

%dx%d %d

= = = = = = = =

%d precision %d

0xx: 0xx

Ðxx 0xx, %d

0xx 0xx

0xx

Ss=%d Se=%d Ah=%d Al=%d

.PAVCOXJPEGException@@

options_alerts.htm

%d-%d-%d %d:%d:%d

%d-%d-%d %d:%d

options_PTF.htm

OLEACC.DLL

oleacc.dll

options_notification.htm

The .EXE file is invalid

(non-Win32 .EXE or error in .EXE image).

%s action failed!

Failed to execute unknown action!

The operating system is out

The operating system denied

There was not enough memory to complete the operation.

d-d-%d d:d:d

WININET.DLL

%s <%s>

Content-Location: %s

Content-ID: %s

Content-Base: %s

Content-Type: %s; charset=%s

Content-Type: %s; charset=%s; Boundary="%s"

Content-Type: %s; charset=%s; name=%s

Content-Disposition: attachment; filename="%s"

Content-Type: %s; charset=%s; name=%s; Boundary="%s"

--%s--

Microsoft Outlook Express 6.00.2800.1437

Reply-To: %s

Content-Type: %s;

charset=%s

Content-Type: %s

Content-Type: %s; boundary="%s"

Subject: %s

Date: %s

X-Mailer: %s

Cc: %s

From: %s

To: %s

%a, %d %b %Y %H:%M:%S

=?%s?q?

EHLO %s

HELO %s

MAIL FROM:<%s>

RCPT TO:<%s>

Password:

AUTH LOGIN

AUTH LOGIN PLAIN

Opera

Mozilla

Firefox

Build 1.6.3.0.

version.dll

options_common.htm

options_diary.htm

options_email.htm

Perfect Keylogger Test

KERNEL32.DLL

Setup=rinst.exe

Program files (*.exe)

*.exe

All files (*.*)

tips.htm

explorer.exe

hXXp://

-$!.#"%&'(

d-d-%d d:d

user32.dll

EnableSpecialKeysLogging

main.htm

Windows

[DeleteGroup(%s)]

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Perfect Keylogger

%d-%d-%d_%d-%d-%d

th_%d-%d-%d_%d-%d-%d

th_%d-d-d_d-d-d-%d

%d-d-d_d-d-d-%d

nopass

d-d-d-d-d-d

CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32

i.dll

un.exe

vw.exe

wb.dll

hk.dll

r.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

psapi.dll

<H2>%s, %s</H2><H3>%s</H3>

<H1> %s</H1>

%d/%d/%d %d:%d:%d

<H2>%s %s</H2><H3>%s</H3><P><A target=_blank href="%s" title="%s">%s</A></P>

%s, %s

<H2>%s - %s, %s</H2><H3>%s</H3>

advapi32.dll

\StringFileInfo\XX\FileDescription

Application files (*.exe)

options_ex_programs.htm

options_screenshots.htm

%ld%c

00000409

##.kkJ

):76666'$

<840.----#

33<<33::3399338833773333

33<<33::3399

8833773333

11<<11::119;66;811771111

))<<))::);

;)77))))

''<<%'::%

#!<<##::#

111111111111111

11111111111111111111

#-5874.*'&&()('#

'-.,(%&)0686.&

#-5874.*'&&()('"

& .010.- (%!

(17<>=<97641.)$

fdUD2(( -.CA*7

"(.67420' !'

%,27>=:97/)).

(.3431/...148

@?940.04

@?:5/,,.

%(()))** -.

, (&#! "#

  (&#""#

}@"7>>7&$

LOGIN PLAIN

version="1.0.0.0"

name="Microsoft.Windows.Manifest"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Password

Password required

Enter the password:

Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.

&Web log (websites visited)

&Also hide keylogger's icon when it will start next time

Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.

&SMTP server:

Example: smtp.myrealbox.com

&Port number:

&Password:

Text log (&keystrokes)

&Try to upload logs by FTP every

HTML (can be viewed with a web browser)

Example: PTF.prohosting.com

Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.

Use passive &mode (this may be necessary for some firewalls)

T&est FTP

Capture mouse clicks &only in the following windows:

This software may be installed and evaluated for 3 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.

Days remaining: %d.

Perfect Keylogger's Registration

Enter &old password:

Enter &new password:

&Repeat new password:

To reset the password, leave the field blank.

To set or change the password for using keylogger, click Password button.

&Password...

&Monitor only online activity (disable keylogger when computer is offline)

&Use progressive method of keystroke interception

(flip this option if you have problems with keyboard logging)

&Include non-character keys in the log

Perfect Keylogger's Home Page

About Perfect Keylogger

VVV.blazingtools.com

[email protected]

Use the newest solution in the visual surveillance and keyboard monitoring!

&Run on Windows startup

Hotkeys

msctls_hotkey32

HotKey1

&Make the program invisible in the Windows startup list

Click here to uninstall keylogger

Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger

The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.

Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.

The wizard can also create package for removal of the installed keylogger.

&Automatically uninstall remote keylogger after

Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.

Keylogger will be installed into the following folder:

&Install new or update existing keylogger on the remote computer

Uninstall existing copy of the Perfect Keylogger on the remote computer

By FTP

Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.

When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.

&Add keyword

Keyword detection action

&Download and run the file from the following URL:

The file will be downloaded into keylgger's folder and opened immediately after the package execution.

BlazingTools Perfect Keylogger

PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.

Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.

This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".

[email protected] haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.

Perfect Keylogger report:

Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!

Invalid password!

5An error occured on saving file "%s". Error code = %u

An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)

VVV.blazingtools.com/bpk.html

VVV.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.

Attention: use %s to show the icon next time.

FTP server

OError while connecting to site. Please make sure that FTP settings are correct.

Unable to set FTP directory.

Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.

Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)hXXp://VVV.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:

YA new version of Perfect Keylogger is available. Do you want to download the new version?

When somebody will run this package, it will stop running keylogger and remove it.

Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s

Time: %s

Computer: %s

IP address: %s

User: %s

Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.

Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.

Context: %s

Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.

AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!

Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password

Wrong old password.

Passwords do not match.*hXXp://VVV.blazingtools.com/downloads.html

Perfect Keylogger Test Message

If this option is checked, keylogger will not be loaded at startup after incorrect shutdown of the computer.

Use this option only if you really need to hide keylogger in the startup list.

PASSWORD CAPTURED: %Where do you want to store your logs?3Select the folder where you want to store the logs:

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

fghEE.tmp:588
%original file name%.exe:368
brm.exe:1648
6r4EF.tmp:516
NOTEPAD.EXE:276
fgbED.tmp:460
rinst.exe:424
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\explorer.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6r4EF.tmp (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fghEE.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fgbED.tmp (601 bytes)
%System%\pk.bin (6 bytes)
%System%\keystrokes.html (25 bytes)
%System%\bpk.dat (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S47KLT1Q\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ISK6R7LJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YFQDXZ8E\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HFCXWLKM\desktop.ini (67 bytes)
%System%\rinst.exe (7 bytes)
%System%\brmhk.dll (8 bytes)
%System%\inst.dat (996 bytes)
%System%\brm.exe (13584 bytes)
%System%\brmwb.dll (1552 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Brm" = "%System%\brm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c!"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Graftor.8567_8c74ed1009

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Graftor.8567_8c74ed1009

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet