MSIL/Spy.Hakey [Threat Name] go to Threat

MSIL/Spy.Hakey.A [Threat Variant Name]

Category trojan,worm
Size 107008 B
Aliases Trojan.MSIL.Agent.daut (Kaspersky)
  TrojanSpy:MSIL/Hakey.A (Microsoft)
  PSW.ILUSpy.trojan (AVG)
  TR/Spy.Hakey.A.12 (Avira)
  Backdoor.MSIL.Agent.AR (BitDefender)
Short description

MSIL/Spy.Hakey.A is a worm that spreads via removable media.


When executed, the worm copies itself in some of the the following locations:

  • %system%\­Important\­svchost.exe
  • %personal%\­Important\­svchost.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svchost" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svchost" = "%malwarefilepath%"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "HideFileExt" = 1
Spreading on removable media

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.

The extension of the file is ".exe" .

Information stealing

MSIL/Spy.Hakey.A is a worm that steals sensitive information.

The worm is able to log keystrokes.

The collected information is stored in the following file:

  • %system%\­Important\­log.txt
  • %personal%\­Important\­log.txt

The worm attempts to send gathered information to a remote machine.

The worm sends the information via e-mail.

The worm contains a list of (1) addresses. The SMTP protocol is used.

Other information

Worm requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.