MonitoringTool:Win32/Actmon is a monitoring software for PC and Internet activity.
It is capable of the following actions:
- Log keystrokes
- Record URLs of visited sites
- Monitor insant messaging conversations
- List running applications
All data gathered can be sent to a third party using email, or may be saved as a log file in the system.
Upon installation, it creates the following files:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates the following registry keys as part of its installation routine:
It adds the following registry entry to ensure that it runs every time Windows starts:
Adds value: "wskrnl"
With data: ""<system folder>\wskrnl.exe" -at"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
When run, it displays the following user inteface:
Analysis by Jireh Sanico