Would like to identify this

[Jeff B]

Last week I posted a message about the following file: kx.dta

It was the output for a keylogger program. I'm running W98SE, and nothing
turned up with Norton 2003, Pest Patrol, or Fix-It virus scan.

I found an entry in my Startup (msconfig/startup) that was labeled msscv and
it used SVCHOST in the command line. I was not able to disable this item,
it kept re-checking itself. Likewise, I found the keys in the registry, and
any changes or deletions there simply resulted in a new key being created.

I was able to finally remove the registry items in Safe Mode, and the item
no longer appears in my startup list. The file kx.dta is no longer being
produced.

What I would really like to know is what trojan/keylogger produces the file
kx.dta. Can anyone anwer that? I'm reposting the question mostly because
last week the thread trailed off into a discussion of search capabilities
for various operating systems..... really, it did

The reason I want to know is that the computer belongs to a friend of mine,
and he uses it for his home business. As far as I know, someone else had
full access to his customers data and all of his account passwords...
anything that was typed. I have logs of the suspect IP addresses where the
file was being sent, but I think more info would be helpful before turning
this info over for possible prosecution.

Many thanks
Jeff B

 

[Nick FitzGerald]

Last week I posted a message about the following file: kx.dta

I remember...

It was the output for a keylogger program. I'm running W98SE, and nothing
turned up with Norton 2003, Pest Patrol, or Fix-It virus scan.

Did you send samples of the EXE you finally isolated to those (and other?)
anti-[virus|malware companies]companies?

I found an entry in my Startup (msconfig/startup) that was labeled msscv and
it used SVCHOST in the command line. I was not able to disable this item,
it kept re-checking itself. Likewise, I found the keys in the registry, and
any changes or deletions there simply resulted in a new key being created.

Given you fixed it by repeating this process in Safe Mode that would be because
the program was running and actively resetting its registry startup values to
"cover its back".

I was able to finally remove the registry items in Safe Mode, and the item
no longer appears in my startup list. The file kx.dta is no longer being
produced.
Execellent!

What I would really like to know is what trojan/keylogger produces the file
kx.dta. Can anyone anwer that? I'm reposting the question mostly because
last week the thread trailed off into a discussion of search capabilities
for various operating systems..... really, it did

The reason is because searching for kx.dta turns up no useful hits. Whilst
"Google is your friend" is often well understood in the positive sense, I
note many people have trouble understanding the "value" of a negative Google
result. As Google was no help in this case, it almost certainly means that
knowing the filename kx.dta is of no diagnostic value. It is quite easy to
imagine that a keylooger could have a configuration utility (musch as many
of the RATs do) that allows the person planning to use it to set all manner
of options such startup method(s) used, filenames used, registry key and/or
value names used, filenames of logged data, Email address to send logged
data to and Email server to relay through (if the logger supports mailing),
FTP site to upload logegd data to (if the logger supports FTP'ing), etc,
etc, etc.

Of course, it could also mean that the keylogger is entirely new and
otherwise unknown. In that case, the kx.dta filename might be a useful
"symptom" to know _in future_, but as it has not yet been determined to be a
useful symptom of a known "possibly unwanted application" it would not be
documented anywhere. In this case, getting samples of the suspect program
files to several antivirus developers is very important, so they can add
detection and help others who may be exposed to it...

The reason I want to know is that the computer belongs to a friend of mine,
and he uses it for his home business. As far as I know, someone else had
full access to his customers data and all of his account passwords...
Yep...

anything that was typed. I have logs of the suspect IP addresses where the
file was being sent, but I think more info would be helpful before turning
this info over for possible prosecution.

Have you taken all the precautions and "evidence handling" procedures that
are necessary in the legal jurisdiction where the computer is located? If
not, you may not be able to take that line of enquiry very far. In fact, if
you have not taken all the due diligance measures required in the machine's
legal locale, your "fixing" the machine may have been more than sufficient
to "pollute" the machine enough that it is now not conceivably possible to
use any information gathered from it for any legal process. In general, the
possibility that something on a computer may later be used as evidence in
legal proceedings has to be taken into consideration _before anything else
is done to the machine_ -- this is the primary rule of incident handling.

Many thanks

You're welcome.

 

[Jeff B]

Thanks for the feedback Nick. I'm no Sherlock Holmes, to be sure. All the
evidence has been destroyed. I was unable to get Norton's submitter to
accept a suspect exe or the data file, and in frustration (fear?) I deleted
the items. Alas.....

I've know for a while that Google was my friend, but I never heard the
phrase until I popped up in here. That was the very first place I went with
"kx.dta". The "negative" value of the search did indeed cross my wee mind -
perhaps something new, still unknown..... I would be a hero for being the
first to put my finger in the dike.

It's possible that something was picked up in the wild and so it's
relatively unknown. It's also just as possible an angry person
intentionally "planted" something. I was hoping the data file name or the
startup entry of "mssrv" would trigger someones memory, apparently not the
case. So.... maybe the best I can hope for is to plant the names in the
minds of many -- in the (unlikely) event that the invasion has yet to begin.

That only leaves me knowing a few IP addresses where the data is suspected
of going. Best I could do now is give them a ring and try to scare them a
little, which hardly seems worth the effort. They did at least get to read
a couple of e-mails where I discussed them in detail... I let those pass
thru. Otherwise, I guess I blew it this time; but I still feel good for
stopping the thing cold on at least one machine.

I'll probably stay tuned in to this NG for a while, maybe I can learn a few
new tricks before the next invasion.

Sincerely
Jeff B

Last week I posted a message about the following file: kx.dta

I remember...

It was the output for a keylogger program. I'm running W98SE, and nothing
turned up with Norton 2003, Pest Patrol, or Fix-It virus scan.

Did you send samples of the EXE you finally isolated to those (and other?)
anti-[virus|malware companies]companies?

I found an entry in my Startup (msconfig/startup) that was labeled msscv and
it used SVCHOST in the command line. I was not able to disable this item,
it kept re-checking itself. Likewise, I found the keys in the registry, and
any changes or deletions there simply resulted in a new key being

created.

Given you fixed it by repeating this process in Safe Mode that would be because
the program was running and actively resetting its registry startup values to
"cover its back".

I was able to finally remove the registry items in Safe Mode, and the item
no longer appears in my startup list. The file kx.dta is no longer being
produced.
Execellent!

What I would really like to know is what trojan/keylogger produces the file
kx.dta. Can anyone anwer that? I'm reposting the question mostly because
last week the thread trailed off into a discussion of search capabilities
for various operating systems..... really, it did

The reason is because searching for kx.dta turns up no useful hits. Whilst
"Google is your friend" is often well understood in the positive sense, I
note many people have trouble understanding the "value" of a negative Google
result. As Google was no help in this case, it almost certainly means that
knowing the filename kx.dta is of no diagnostic value. It is quite easy to
imagine that a keylooger could have a configuration utility (musch as many
of the RATs do) that allows the person planning to use it to set all manner
of options such startup method(s) used, filenames used, registry key and/or
value names used, filenames of logged data, Email address to send logged
data to and Email server to relay through (if the logger supports mailing),
FTP site to upload logegd data to (if the logger supports FTP'ing), etc,
etc, etc.

Of course, it could also mean that the keylogger is entirely new and
otherwise unknown. In that case, the kx.dta filename might be a useful
"symptom" to know _in future_, but as it has not yet been determined to be a
useful symptom of a known "possibly unwanted application" it would not be
documented anywhere. In this case, getting samples of the suspect program
files to several antivirus developers is very important, so they can add
detection and help others who may be exposed to it...

The reason I want to know is that the computer belongs to a friend of mine,
and he uses it for his home business. As far as I know, someone else had
full access to his customers data and all of his account passwords...
Yep...

anything that was typed. I have logs of the suspect IP addresses where the
file was being sent, but I think more info would be helpful before turning
this info over for possible prosecution.

Have you taken all the precautions and "evidence handling" procedures that
are necessary in the legal jurisdiction where the computer is located? If
not, you may not be able to take that line of enquiry very far. In fact, if
you have not taken all the due diligance measures required in the machine's
legal locale, your "fixing" the machine may have been more than sufficient
to "pollute" the machine enough that it is now not conceivably possible to
use any information gathered from it for any legal process. In general, the
possibility that something on a computer may later be used as evidence in
legal proceedings has to be taken into consideration _before anything else
is done to the machine_ -- this is the primary rule of incident handling.

Many thanks

You're welcome.