Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    TSPY_MAHA.S, is a keylogger Trojan Spy that uploads captured information to a certain site. Testing one of the URLs being accessed by the keylogger to check if it was still up.


    The URL displayed nothing which was a good sign that it was still up. No error messages returned. Testing further, by simply removing “parse.php” from the URL, I wanted to see if I can find further information.



    To my surprise, directory listing is enabled! From here, you can either download the whole arhive (archive_5f4a8.tar.gz) or just browse through the logged keystrokes in the folder “Logs”.


    The malware used the format _ of the infected machine/account where logged keystrokes are found.

    Browsing further inside, log files are named in the format DD_MM_YYYY.html where it corresponds to the actual date the log file was posted to the server.


    Various types of logged keystrokes (such as Bank Accounts, Yahoo! & MSN accounts, PayPal account, Email conversations) were found inside the folders which I believe are still active and the password have not been changed.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice