Threat behavior
Trojan:WinNT/Gekey.A!rootkit is the detection for the multi-partite malware that consists of the dropper, password stealing and rootkit trojan. It logs keystrokes and other user credentials, and sends this information to a remote attacker. Its malicious activity is hidden to the affected user.
The dropper component does the following:
- Extracts and saves the password stealing and rootkit driver as %TEMP%\getkey.sys (also detected as Trojan:WinNT/Gekey.A!rootkit).
- Initiates / stops the logging of keystrokes by communicating to the driver file %TEMP%\getkey.sys.
Note: %TEMP%\getkey.sys driver file is hidden to the user level applications.
Payload
Log keystrokes and steals credentials
The malware logs keystrokes from applications and saves the details to temporary file %TEMP%\qimawy.txt. The logged information may include, but is not limited to IP address, computer name, CPU information, usernames and password from various applications. After this information has been recorded, the log file is sent to the remote attacker via HTTP.
Analysis by Rodel Finones
Prevention
