Troj/Keylog-AK is a password stealing Trojan which attempts to steal confidential information and send it to a remote location.
Troj/Keylog-AK includes functionality to steal confidential information including user account information, passwords from Hotmail, OutlookExpress, MSN Explorer, Microsoft Internet Account Manager and other email related applications.
Troj/Keylog-AK may also harvest information from the clipboard.
Once installed, Troj/Keylog-AK creates the folder <System>\service.
Troj/Keylog-AK then copies itself to <System>\service\explorer.exe and creates the following file and runs it:
<System>\service\dll.dll
This file is also detected as Troj/Keylog-AK. When first run, the DLL file component will begin to keylog information.
Troj/Keylog-AK may also create the following files:
<System>\service\dllw.txt
<System>\service\dlls.txt
<System>\service\dllp.txt
<System>\service\dll<random number>.txt
<System>\service\reoxconf1.sp
<System>\service\reoxconf.sp
<System>\service\reoxconf1.sam
<System>\service\reoxconf.sam
<System>\service\reoxconf.dl
<System>\service\scr<random number>.html
These files may be deleted.
The following registry entries are created to run explorer.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
explorer
<System>\service\explorer.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
<number>
<System>\service\explorer.exe
Troj/Keylog-AK may modify the HOSTS file which maps the URLs of selected websites to its own IP addresses, in order to affect redirection and therefore hijack browsing.