Follow:

 

MonitoringTool:Win32/FamilyKeyLogger


MonitoringTool:Win32/FamilyKeyLogger is a commercial monitoring tool called "Family Keylogger". It can stealthily record your keystrokes and track applications you launch, emails you send, websites you visit and information you type into website forms.

This tool may be present and installed intentionally by a computer user.



What to do now

Monitoring programs are typically installed by the computer owner or administrator and should only be removed if unexpected. MonitoringTool:Win32/FamilyKeyLogger may place an uninstaller entry in Control Panel>Add or Remove Programs (Windows XP) or Control Panel>Programs>Uninstall a Program(Windows Vista and Windows 7).

Note that this uninstaller will not remove or delete the log file where the keystrokes and other information have been stored.

If an uninstaller is not available or if you do not want to use the uninstaller that is provided, you can use the following scanning and removal tools to detect and remove this program and other unwanted software from your computer:

Threat behavior

MonitoringTool:Win32/FamilyKeyLogger is a commercial monitoring tool called "Family Keylogger". It can stealthily record your keystrokes and track applications you launch, emails you send, websites you visit and information you type into website forms.

This tool may be present and installed intentionally by a computer user.

Installation

When first run, MonitoringTool:Win32/FamilyKeyLogger may create the following files:

  • <random name>.dll
  • <random name>.exe
  • QuickStart.html
  • uninstall.exe

Where <random name> is a specific string that differs between installations of the tool. In the wild, we have observed the following names:

  • cisvc
  • ctfmon
  • mw2mmgr32
  • mwmmgr32
  • svcdotnet
  • svcnet2

The tool creates these files in a folder path that also differs between installations of the tool. In the wild, we have observed the following folder paths:

  • %ProgramFiles%\FamilyKeyLogger
  • %windir%\mw2mmgr32
  • %windir%\svcdotnet
  • %windir%\svcnet2
  • <system folder>\CTF
  • <system folder>\mwmmgr32

For example, we have observed the following files and folder paths for one installation of the tool:

  • %ProgramFiles%\FamilyKeyLogger\cisvc.dll
  • %ProgramFiles%\FamilyKeyLogger\cisvc.exe
  • %ProgramFiles%\FamilyKeyLogger\QuickStart.html
  • %ProgramFiles%\FamilyKeyLogger\uninstall.exe

And the following for another installation of the tool:

  • <system folder>\CTF\ctfmon.dll
  • <system folder>\CTF\ctfmon.exe
  • <system folder>\CTF\QuickStart.html
  • <system folder>\CTF\uninstall.exe

Note: %ProgramFiles% refers to a variable location that is determined by the tool by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".

Note: %windir% refers to a variable location that is determined by the tool by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".

Note: <system folder> refers to a variable location that is determined by the tool by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

It also drops the following shortcut files (LNK) into the "<start menu>\Programs\Family Keylogger\" folder:

  • Family Keylogger.lnk
  • Help.lnk
  • Quick Start.lnk
  • Reset Settings.lnk
  • Uninstall.lnk

Note: <start menu> refers to a variable location that is determined by the tool by querying the operating system. The default location for the Start Menu folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu" or "C:\Users\<user>\Start Menu". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu".

MonitoringTool:Win32/FamilyKeyLogger modifies the registry to ensure that it runs at each Windows start. The value and data the tool modifies varies between installations; we have observed the following modifications:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svcnet2"
With data: "%windir%\svcnet2\svcnet2.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "svcdotnet"
With data: "%windir%\svcdotnet\svcdotnet.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Sys32V2Contoller"
With data: "%windir%\mw2mmgr32\mw2mmgr32.exe"

It also modifies the registry to create an option in the Programs and Features control panel menu that will uninstall the tool.

The name of the registry subkey differs between installations of the tool; in the wild we have observed the following subkeys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FKL
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FamilyKeyLogger

The tool will set the following values and data under the chosen subkey:

Sets value: "DisplayName"
With data: "Family-Keylogger (remove only)"

Sets value: "UninstallString"
With data: "<path of "uninstall.exe">"

In our analysis, however, we determined that using this uninstallation option will not remove or delete the log file where the keystrokes and other information have been stored.

MonitoringTool:Win32/FamilyKeyLogger also creates the following registry keys, possibly to check if the tool has already been installed on your computer:

  • HKLM\Software\SAXP32\F4KL
  • HKLM\Software\svcdotnet
  • HKLM\Software\KMiNT21\FamilyKeyLogger
Additional information

The following is a screenshot of the monitoring tool's interface:

The tool also appears in the taskbar notification area, with the following pop-up menu:

The monitoring tool opens "QuickStart.html", which it creates during installation. The HTML file appears as follows:

MonitoringTool:Win32/FamilyKeyLogger  stealthily records your keystrokes and tracks applications you launch, emails you send, websites you visit and information you type into website forms.

The gathered information may be saved into the following files, using the file name the tool used during its installation:

  • <random name>.cfg
  • <random name>.inc
  • <random name>.txt

For example, we have observed the following file names for one installation of the tool:

  • mwmmgr.cfg
  • mwmmgr.inc
  • mwmmgr.txt

And the following for another installation of the tool:

  • svcdotnet.cfg
  • svcdotnet.inc
  • svcdotnet.txt

It creates these files in either the "%ALLUSERSPROFILE%\Application Data" folder or the tool's original installation folder, for example:

  • %Program Files%\FamilyKeyLogger\cisvc.cfg
  • %Program Files%\FamilyKeyLogger\cisvc.inc
  • %Program Files%\FamilyKeyLogger\cisvc.txt

Note: %ALLUSERSPROFILE% refers to a variable location that is determined by the tool by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\All Users". For Windows Vista and 7, the default location is "C:\ProgramData".

Analysis by Ric Robielos


Symptoms

System changes

The following system changes may indicate the presence of MonitoringTool:Win32/FamilyKeyLogger:

  • The presence of the following files:

    %ALLUSERSPROFILE%\Application Data\mw2mmgr.cfg
    %ALLUSERSPROFILE%\Application Data\mw2mmgr.inc
    %ALLUSERSPROFILE%\Application Data\mw2mmgr.txt
    %ALLUSERSPROFILE%\Application Data\mwmmgr.cfg
    %ALLUSERSPROFILE%\Application Data\mwmmgr.inc
    %ALLUSERSPROFILE%\Application Data\mwmmgr.txt
    %ALLUSERSPROFILE%\Application Data\svcdotnet.cfg
    %ALLUSERSPROFILE%\Application Data\svcdotnet.inc
    %ALLUSERSPROFILE%\Application Data\svcdotnet.txt
    %ALLUSERSPROFILE%\Application Data\svcnet2.cfg
    %ALLUSERSPROFILE%\Application Data\svcnet2.inc
    %ALLUSERSPROFILE%\Application Data\svcnet2.txt
    %Program Files%\FamilyKeyLogger\cisvc.cfg
    %Program Files%\FamilyKeyLogger\cisvc.dll
    %Program Files%\FamilyKeyLogger\cisvc.exe
    %Program Files%\FamilyKeyLogger\cisvc.inc
    %Program Files%\FamilyKeyLogger\cisvc.txt
    %Program Files%\FamilyKeyLogger\QuickStart.html
    %Program Files%\FamilyKeyLogger\uninstall.exe
    %System%\CTF\ctfmon.cfg
    %System%\CTF\ctfmon.dll
    %System%\CTF\ctfmon.exe
    %System%\CTF\ctfmon.inc
    %System%\CTF\ctfmon.txt
    %System%\CTF\QuickStart.html
    %System%\CTF\uninstall.exe
    %System%\mwmmgr32\mwmmgr32.dll
    %System%\mwmmgr32\mwmmgr32.exe
    %System%\mwmmgr32\QuickStart.html
    %System%\mwmmgr32\uninstall.exe
    %windir%\mw2mmgr32\mw2mmgr32.dll
    %windir%\mw2mmgr32\mw2mmgr32.exe
    %windir%\mw2mmgr32\QuickStart.html
    %windir%\mw2mmgr32\uninstall.exe
    %windir%\svcdotnet\QuickStart.html
    %windir%\svcdotnet\svcdotnet.dll
    %windir%\svcdotnet\svcdotnet.exe
    %windir%\svcdotnet\uninstall.exe
    %windir%\svcnet2\svcnet2.dll
    %windir%\svcnet2\svcnet2.exe
    %windir%\svcnet2\uninstall.exe
    <start menu>\Programs\Family Keylogger\Family Keylogger.lnk
    <start menu>\Programs\Family Keylogger\Help.lnk
    <start menu>\Programs\Family Keylogger\Quick Start.lnk
    <start menu>\Programs\Family Keylogger\Reset Settings.lnk
    <start menu>\Programs\Family Keylogger\Uninstall.lnk

  • The presence of the following registry modifications:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "svcnet2"
    With data: "%windir%\svcnet2\svcnet2.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Sys32V2Contoller"
    With data: "%windir%\mw2mmgr32\mw2mmgr32.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "svcdotnet"
    With data: "%windir%\svcdotnet\svcdotnet.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FKL
    Sets value: "DisplayName"
    With data: "Family-Keylogger (remove only)"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FKL
    Sets value: "UninstallString"
    With data: "<path of uninstaller file>"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FamilyKeyLogger
    Sets value: "DisplayName"
    With data: "Family-Keylogger (remove only)"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FamilyKeyLogger
    Sets value: "UninstallString"
    With data: "<path of uninstaller file>"

  • The display of the following program interface and message:





  • The display of the following icon and menu in the notification area of your taskbar:


Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 08, 2006
This entry was updated on: Oct 23, 2012

This threat is also detected as:
  • Keylog-Family (McAfee)
  • FamilyKeylogger (Sophos)