MSIL/Spy.Hakey [Threat Name] go to Threat
MSIL/Spy.Hakey.A [Threat Variant Name]
| Category | trojan,worm |
| Size | 107008 B |
| Aliases | Trojan.MSIL.Agent.daut (Kaspersky) |
| TrojanSpy:MSIL/Hakey.A (Microsoft) | |
| PSW.ILUSpy.trojan (AVG) | |
| TR/Spy.Hakey.A.12 (Avira) | |
| Backdoor.MSIL.Agent.AR (BitDefender) |
Short description
MSIL/Spy.Hakey.A is a worm that spreads via removable media.
Installation
When executed, the worm copies itself in some of the the following locations:
- %system%\Important\svchost.exe
- %personal%\Important\svchost.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "svchost" = "%malwarefilepath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "svchost" = "%malwarefilepath%"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- "HideFileExt" = 1
Spreading on removable media
The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.
The extension of the file is ".exe" .
Information stealing
MSIL/Spy.Hakey.A is a worm that steals sensitive information.
The worm is able to log keystrokes.
The collected information is stored in the following file:
- %system%\Important\log.txt
- %personal%\Important\log.txt
The worm attempts to send gathered information to a remote machine.
The worm sends the information via e-mail.
The worm contains a list of (1) addresses. The SMTP protocol is used.
Other information
Worm requires the Microsoft .NET Framework to run.