Follow:

You have been re-routed to the PWS:MSIL/Kelopol.B write up because PWS%3aMSIL%2fKelopol.B has been renamed to PWS:MSIL/Kelopol.B
 

PWS:MSIL/Kelopol.B


PWS:MSIL/Kelopol.B is a trojan password stealer. It captures user and system information and sends this data to an attacker via SMTP email.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

PWS:MSIL/Kelopol.B is a trojan password stealer. It captures user and system information and sends this data to an attacker via SMTP email.
Installation
PWS:MSIL/Kelopol.B may be installed by other malware.
Payload
Captures & sends sensitive information
When run, it captures user and system information such as the following:
  • computer name
  • user login name
  • list of applications in use
  • list of web services running with hashes of each
 
Collected data is then sent via SMTP email to a Gmail user account named "rifai1".
Additional Information
The trojan contains the following string which is never displayed:
 
Based off of the polymorphic keylogger tutorial written by <name redacted>
 
Analysis by Haoran Yu & Patrick Nolan

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.99.7.0
Latest detected by definition: 1.175.2401.0 and higher
First detected on: Feb 23, 2011
This entry was first published on: Mar 03, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Gen:Heur.MSIL.Krypt.5 (BitDefender)
  • MSIL/Spy.Keylogger.BE (ESET)
  • Spyware (Ikarus)
  • Generic Keylogger.an (McAfee)
  • Mal/MSIL-BV (Sophos)