[Dshield] Guru Help Please.

Wayne Jr wayne_jr at pacbell.net
Sun Aug 24 19:50:07 GMT 2003

Is there anyway to tell if there is a keylogger program running (or 
on your computer)?
Wayne Jr

On Sun, 24 Aug 2003 12:10:50 -0600, Chris Ream wrote:
>Hi All,
>I'm not quite sure what to do with something I'm working on so I
>I would put it out to the group to see if you bright folks can help
>Using filemon I discovered that an application calling itself
>is running out of my startup folder. It seems to be a keystroke
>because it's writing temp files when I do things like send email,
>to notepad etc...
>I am proficient in assembly and wish to disassemble it and see
>what it's doing however, it's packed with upx. I tried decompressing
>with the latest version of upx but it gives me a checksum error and
>decompress the file. The weird thing is that it obviously
>itself when it runs.
>I am thinking that the virus writer intentionally modified the
>so it would be harder to un-upx and disassemble. This thing is scary
>it's making calls to winsock.
>Has anyone dealt with this type of situation before? If so, help me
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>This message has been processed by Firetrust Benign.

More information about the list mailing list