WinRecon

Posted: March 28, 2006

WinRecon is a commercial keylogger that tracks user Internet activity, logs all keystrokes, takes screenshots and records passwords. It saves gathered data into encrypted file or sends it out to a predefined e-mail address. WinRecon must be manually installed.

File System Modifications

The following files were created in the system:

# File Name

1 codex.exe

2 condex.exe

3 dataview.exe

4 kpaccess.dll

5 kpsc.ocx

6 kpview.ocx

7 sp5.exe

8 winrecon.exe

#	File Name
1	codex.exe
2	condex.exe
3	dataview.exe
4	kpaccess.dll
5	kpsc.ocx
6	kpview.ocx
7	sp5.exe
8	winrecon.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINESOFTWAREArbocHKEY_LOCAL_MACHINESOFTWAREClasseskpsc.kpscEncHKEY_LOCAL_MACHINESOFTWAREClasseskpview1.kpviewHKEY_LOCAL_MACHINESOFTWAREGenteePathsWinRecon[XVS]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWinRecon
The following CLSID's were detected:
HKEY..\..\{CLSID Path}BDC217C8-ED16-11CD-956C-0000C04E4C0AF2DDA1D5-C5A2-4149-9D82-3B7ABE4CB4113B7C8863-D78F-101B-B9B5-04021C0094021CA5F9A1-DA0A-4C31-8C7F-81B497EAD912ED117630-4090-11CF-8981-00AA00688B10E9A5593C-CAB0-11D1-8C0B-0000F8754DA1E3DE1EFF-67BA-4317-89D7-BB60FC26E414D0E090C1-F267-4152-B718-EFB01B139522859321D0-3FD1-11CF-8981-00AA00688B104008A442-D2E8-4A64-8BBA-F145CA9D60C93B7C8862-D78F-101B-B9B5-04021C00940209D14D02-1C28-4EA5-9D34-101E6A1C688FF3065315-1D2C-4992-8F24-57FEF0E1DCB5B617B991-A767-4F05-99BA-AC6FCABB102EAFC634B0-4B8B-11CF-8989-00AA00688B1078E5A540-1850-11CF-9D53-00AA003C9CB63EDF892D-D60F-4E94-83BC-A93BC4C91D1D3B7C8860-D78F-101B-B9B5-04021C009402

WinRecon

File System Modifications

Registry Modifications

Leave a Reply