[Dshield] Guru Help Please.

Wayne Jr wayne_jr at pacbell.net
Sun Aug 24 19:50:07 GMT 2003


Is there anyway to tell if there is a keylogger program running (or 
on your computer)?
Thanks,
Wayne Jr


On Sun, 24 Aug 2003 12:10:50 -0600, Chris Ream wrote:
>Hi All,
>
>I'm not quite sure what to do with something I'm working on so I
>thought
>I would put it out to the group to see if you bright folks can help
>me.
>
>Using filemon I discovered that an application calling itself
>BEFC.EXE
>is running out of my startup folder. It seems to be a keystroke
>logger
>because it's writing temp files when I do things like send email,
>write
>to notepad etc...
>
>I am proficient in assembly and wish to disassemble it and see
>exactly
>what it's doing however, it's packed with upx. I tried decompressing
>it
>with the latest version of upx but it gives me a checksum error and
>wont
>decompress the file. The weird thing is that it obviously
>decompresses
>itself when it runs.
>
>I am thinking that the virus writer intentionally modified the
>checksum
>so it would be harder to un-upx and disassemble. This thing is scary
>it's making calls to winsock.
>
>Has anyone dealt with this type of situation before? If so, help me
>out
>here.
>
>Thanks
>
>Chris.
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>----------------------------------------------------
>This message has been processed by Firetrust Benign.






More information about the list mailing list