Troj/BeastPWS-C

Please follow the instructions for removing Trojans.

Troj/BeastPWS-C is a keylogging Trojan for the Windows platform.

Troj/BeastPWS-C has been seen to arrive in an email claiming to be a Microsoft patch for the Winlogon service.

When first installed Troj/BeastPWS-C displays the following bogus message:
"Microsoft WinLogon Service successfully patched."

Troj/BeastPWS-C has functionality to email keystrokes and to communicate with a remote URL via HTTP. Troj/BeastPWS-C is a keylogging Trojan for the Windows platform.

Troj/BeastPWS-C has been seen to arrive in an email claiming to be a Microsoft patch for the Winlogon service.

When first installed Troj/BeastPWS-C displays the following bogus message:
"Microsoft WinLogon Service successfully patched."

When first run Troj/BeastPWS-C copies itself to <System>\winlogon_patchv1.12 and creates the following file:

<Windows>\winlogon_patchv1.dll

Troj/BeastPWS-C attempts to inject the DLL component into iexplore.exe (the Internet Explorer process) if it is running. The DLL contains functionality to log keystrokes and email them to a remote address. Troj/BeastPWS-C also has functionality to communicate with a remote URL via HTTP.

Troj/BeastPWS-C creates the following registry entry in an attempt run itself on restart:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{E22DC74F-B084-F0F8-1BCE-00C8AF63188D}\
StubPath
<System>\winlogon_patchv1.12

Troj/BeastPWS-C may also create an entry in the following registry key to run itself on restart:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Troj/BeastPWS-C sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\srservice
Start
4