MSIL/Spy.RinLog [Threat Name] go to Threat
MSIL/Spy.RinLog.A [Threat Variant Name]
Category | trojan |
Size | 194560 B |
Aliases | Trojan-Spy.MSIL.KeyLogger.agnk (Kaspersky) |
Short description
MSIL/Spy.RinLog.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan copies itself into the following location:
- %startup%\.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "(Default)" = "%startup%\.exe"
Information stealing
MSIL/Spy.RinLog.A is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- screenshots
- user name
- computer name
- operating system version
- amount of operating memory
- Windows product key
The following programs are affected:
- Mozilla Firefox
The trojan is able to log keystrokes.
The trojan attempts to send gathered information to a remote machine.
The trojan sends the information via e-mail. The SMTP protocol is used.
Other information
The trojan blocks execution of some programs.
The following programs are affected:
- Command Prompt
- Task Manager
- Registry Editor
- Internet Explorer
- MSN Messenger
- System Configuration
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
- "DisableCMD" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
- "DisableRegistryTools" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDrives" = %systemdrivebitmask%
- "NoViewOnDrive" = %systemdrivebitmask%
- "NoClose" = 1
- "DisallowRun" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
- "10" = "iexplore.exe"
- "11" = "msnmsgr.exe"
- "12" = "msconfig.exe"
It can execute the following operations:
- delete cookies
- change the home page of web browser
- display a dialog window
- visit a specific website
- download files from a remote computer and/or the Internet
- run executable files
Trojan requires the Microsoft .NET Framework to run.