Win32/Spy.KeyLogger [Threat Name] go to Threat

Win32/Spy.KeyLogger.PGO [Threat Variant Name]

Category trojan
Size 3005440 B
Detection created Jun 03, 2016
Detection database version 13591
Aliases TrojanDropper:Win32/Maptrepol.A (Microsoft)
  Trojan.MulDrop6.42087 (Dr.Web)
Short description

Win32/Spy.KeyLogger.PGO is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The trojan is often included in the installation packages of programs downloaded from untrustworthy sources.

Installation

When executed, the trojan creates the following files:

  • %temp%\­procexp.exe (2130384 B)
  • %temp%\­sega\­nvvscv.exe (40448 B, Win32/Spy.KeyLogger.PGO)
  • %temp%\­sega\­prst.cab (344 B)
  • %temp%\­sega\­Prst.dll (128000 B, Win32/Spy.KeyLogger.PGO)
  • %temp%\­sega\­wndplyr.exe (170496 B, Win32/Spy.KeyLogger.PGO)
  • %temp%\­sega\­wrlck.cab (184 B)
  • %temp%\­sega\­Wrlck.dll (464896 B, Win32/Spy.KeyLogger.PGO)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Nvdia" = "%temp%\­sega\­nvvscv.exe"

The trojan launches the following processes:

  • %temp%\­procexp.exe
  • %temp%\­sega\­nvvscv.exe
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings

The trojan is able to log keystrokes.


The following programs are affected:

  • PuTTY
  • FileZilla
  • WinSCP
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTPS protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • log keystrokes
  • send gathered information
  • run executable files
  • perform DoS/DDoS attacks

Please enable Javascript to ensure correct displaying of this content and refresh this page.