English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Watch us on

Home→Descriptions→Trojan-Spy.Win32.Dks.11.b

Trojan-Spy.Win32.Dks.11.b

Detected	Nov 17 2002 20:00 GMT
Released	Nov 17 2002 20:00 GMT
Published	Oct 25 2006 12:18 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan logs the user’s keystrokes. It is a Windows PE EXE file. It is written in Visual C++. The file is 14,336 bytes in size.

Installation

Once launched, the Trojan copies itself to the Windows system directory as "systemks.exe":

%System%\systemks.exe

It then registers itself in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"systemks" = "systemks.exe"

This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

The Trojan also creates a file called "systemks.dll" in the Windows system registry:

%System%\systemks.dll (9 728 bytes)

This file intercepts information entered via the keyboard and writes it to a log file.

The Trojan will also track its repeated launch by search for a window with the heading “systemks”.

Payload

The Trojan intercepts information entered via the keyboard, determines the language it has been entered in, tracks window operations and then writes this information to the following file:

%System%\kslog.txt

Removal instructions

Delete the Trojan process.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the files created by the Trojan:
%System%\systemks.exe
%System%\systemks.dll
%System%\kslog.txt
Delete the following registry key value:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"systemks" = "systemks.exe"
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Trojans

Trojan-Spy

Trojan-Spy programs are used to spy on a user’s actions (to track data entered by keyboard, make screen shots, retrieve a list of running applications, etc.) The harvested information is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request) and other methods can be used to transmit the data.

Other versions

Trojan-Spy.Win32.Dks.11.a

Aliases

Trojan-Spy.Win32.Dks.11.b (Kaspersky Lab) is also known as:

..DKS.11.b (Kaspersky Lab)
TrojanSpy.Win32.DKS.11.b (Kaspersky Lab)
Trojan.Spy.Dks.11.b (Kaspersky Lab)
Trojan: Generic.b (McAfee)
App: KeyLog-Dks.dll (McAfee)
Sus/Behav-1014 (Sophos)
Troj/Dks11-B (Sophos)
Univ.AP.H (Panda)
Heuristic.WinPE-Statistical (Panda)
W32/Malware!4785 (FPROT)
W32/Trojan.AYCJ (FPROT)
PWS:Win32/Dks (MS(OneCare))
Trojan.Dks.11 (DrWeb)
Win32/Spy.Dks trojan (Nod32)
Win32/Spy.Dks.11.B trojan (Nod32)
Trojan.Dks.1.1 (BitDef7)
Trojan.Spy.Dks.11.B (BitDef7)
TrojanSpy.Dks!R+jd3fQLpWE (VirusBuster)
TrojanSpy.Dks!N4IQBLB3G6U (VirusBuster)
Win32:Dks-D [Trj] (AVAST)
Win32:Dks-C [Trj] (AVAST)
Trojan-Spy.Win32.Dks.11 (Ikarus)
PSW.Generic3.OGP (AVG)
PSW.Generic.GKN (AVG)
TR/Spy.DKS.11.B (AVIRA)
TR/DKSSpy.11.B.2 (AVIRA)
Infostealer (NAV)
Trojan Horse (NAV)
W32/Dks.1_3B (Norman)
W32/Dks.O (Norman)
Generic.B (NAI)
TROJ_DKS.11.B (PCCIL)
Trojan.Spy.DKS.11.b (Rising)
Trojan.Spy.Dks.12 (Rising)
Trojan-Spy.Win32.Dks.11.b [AVP] (FSecure)
TROJ_DKS.11 (TrendMicro)
TrojanSpy.Dks!N4IQBLB3G6U (VirusBusterBeta)
TrojanSpy.Dks!R+jd3fQLpWE (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com