Jun26
1:33 am (UTC-7)   |   by Joseph Cepe (Threats Analyst)

TSPY_MAHA.S, is a keylogger Trojan Spy that uploads captured information to a certain site. Testing one of the URLs being accessed by the keylogger to check if it was still up.

http://in-2-[BLOCKED]eb2.com/img/parse.php

The URL displayed nothing which was a good sign that it was still up. No error messages returned. Testing further, by simply removing “parse.php” from the URL, I wanted to see if I can find further information.

http://in-2-[BLOCKED]eb2.com/img/

maha_1.JPG

To my surprise, directory listing is enabled! From here, you can either download the whole arhive (archive_5f4a8.tar.gz) or just browse through the logged keystrokes in the folder “Logs”.

maha_2.JPG

The malware used the format _ of the infected machine/account where logged keystrokes are found.

Browsing further inside, log files are named in the format DD_MM_YYYY.html where it corresponds to the actual date the log file was posted to the server.

maha_3.JPG

Various types of logged keystrokes (such as Bank Accounts, Yahoo! & MSN accounts, PayPal account, Email conversations) were found inside the folders which I believe are still active and the password have not been changed.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Tuesday, June 26th, 2007 at 1:33 am and is filed under Security . Responses are closed, but you can trackback from your own site.



Comments are closed.


New Fake Codec Download Site
It’s more than meets the eye, it’s [yet another] malware download site in disguise


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice