Troj/BeastPWS-C is a keylogging Trojan for the Windows platform.
Troj/BeastPWS-C has been seen to arrive in an email claiming to be a Microsoft patch for the Winlogon service.
When first installed Troj/BeastPWS-C displays the following bogus message:
"Microsoft WinLogon Service successfully patched."
Troj/BeastPWS-C has functionality to email keystrokes and to communicate with a remote URL via HTTP.
Troj/BeastPWS-C is a keylogging Trojan for the Windows platform.
Troj/BeastPWS-C has been seen to arrive in an email claiming to be a Microsoft patch for the Winlogon service.
When first installed Troj/BeastPWS-C displays the following bogus message:
"Microsoft WinLogon Service successfully patched."
When first run Troj/BeastPWS-C copies itself to <System>\winlogon_patchv1.12 and creates the following file:
<Windows>\winlogon_patchv1.dll
Troj/BeastPWS-C attempts to inject the DLL component into iexplore.exe (the Internet Explorer process) if it is running. The DLL contains functionality to log keystrokes and email them to a remote address. Troj/BeastPWS-C also has functionality to communicate with a remote URL via HTTP.
Troj/BeastPWS-C creates the following registry entry in an attempt run itself on restart:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{E22DC74F-B084-F0F8-1BCE-00C8AF63188D}\
StubPath
<System>\winlogon_patchv1.12
Troj/BeastPWS-C may also create an entry in the following registry key to run itself on restart:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Troj/BeastPWS-C sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4