Dangerous MSN trojan blends spyware and keylogger threats

Described as "dangerous" by PandaLabs, the Spymaster.A trojan combines spyware and keylogger characteristics in an attempt to steal all types of information from compromised computers.

As with most Trojans, Spymaster.A is not able to spread by itself, and therefore needs the intervention of a malicious user. It can reach computers as an attachment to email messages, or could be downloaded from web pages, P2P applications, instant messaging systems or infected CDs or diskettes.

After it reaches a computer, should a user run the file that contains Spymaster.A, a copy of this trojan is created as a file called syscont.exe. The process associated to this file has the name Win servico. However, PandaLabs warns that if the user views active processes in the task manager, they will only see it as a process supposedly corresponding to MSN Messenger. This process actually hides the actions of Spymaster.A. Similarly, it creates several Windows registry entries to ensure that it runs every time the computer starts up.

The trojan also creates a text file called syslogy.cc. This file stores data on the programs used on the computer, web pages visited and all information entered on the keyboard. This is the file that will be sent, via FTP, to an address from which the attacker can collect it.

Luis Corrons, director of PandaLabs said: "Keylogger Trojans are usually used by cyber-crooks to steal confidential information for fraudulent purposes. Given that, nowadays, financial gain is the main motivation for the creators of malicious code, it is almost certain that more examples will appear, and that they will be increasingly sophisticated and difficult to detect. The way that Spymaster.A hides the process in memory is a good example of this."