What is this?

[Jeff B]

I have something generating a file in my WINDOWS/SYSTEM named kx.dta.

kx.dta is storing every keystroke I make from every application. It appears
that the file is then being sent to someone at regular intervals, either
when the file reaches a specific size or when triggered by some action....
I'm not sure.

I have not been able to determine what program (Trojan) is creating kx.dta,
nor can I successfully quarantine or delete the file.

Can anyone identify this?

Thanks

 

[null]

I have something generating a file in my WINDOWS/SYSTEM named kx.dta.

kx.dta is storing every keystroke I make from every application. It appears
that the file is then being sent to someone at regular intervals, either
when the file reaches a specific size or when triggered by some action....
I'm not sure.

I have not been able to determine what program (Trojan) is creating kx.dta,
nor can I successfully quarantine or delete the file.

Can anyone identify this?

Which av and spyware scanners have you tried?

Art
http://www.epix.net/~artnpeg

 

[David W. Hodgins]

kx.dta is storing every keystroke I make from every application. It appears
that the file is then being sent to someone at regular intervals, either

Keylogger. Can be installed as part of a trojan, for example to
capture credit card, or banking info, or by anyone with access to
your computer, who want's to know what you're doing, such as parents,
or spouse. See http://www.blazingtools.com/bpk.html
for an example. It will collect/send the log, based on time, or
size of the log file. When registered, it will allow the owner
to append the logger to any windows exe file, which is then given
to the logee. When the logee executes the supplied trojan, the
keylogger is installed transparently.

To id/remove the spyware, try Spybot Search & Destroy, which you can
download from http://security.kolla.de/index.php?lang=en&page=download

Regards, Dave Hodgins

 

[John Coutts]

Sounds like the w32.benpao.trojan. But since you haven't supplied a lot of
information, that's just a guess. For more info see:

http://www.symantec.com/avcenter/venc/data/w32.benpao.trojan.html

******************* REPLY SEPARATER **********************

 

[Jeff B]

Thanks for the reply. I don't know what other I could supply.... I just
got lucky last night when I stumbled across the file and recognized what it
was doing.

To answer other posts in this thread, I'm using Norton 2003 and Nortons
PestPatrol. So far nothing has turned up, but I know that's not correct.
Otherwise I would not have any keyboard logging going on... right?

I'm looking further into the w32.benpao.trojan, and trying to verify if
that's the culprit.

If there's anything new I can add, please feel free to ask for it.

Thanks for the response,
Jeff

 

[FromTheRafters]

To answer other posts in this thread, I'm using Norton 2003 and Nortons
PestPatrol. So far nothing has turned up, but I know that's not correct.
Otherwise I would not have any keyboard logging going on... right?

Some AV software might not detect a *legitimate* keylogger.
What is a legitimate keylogger? One that the administrator of
a machine *wants* running on his or her machine.

It is not clear at this time what should and should not be detected
as far as this type of program is concerned. If AV companies add
detection for a legitimate keylogger, they are interfering with another
company's business. If the "wronged" business has enough clout
(read "money"), then they could "convince" (read "payoff") the AV
to not include detection for their software.

As the legitimacy of the particular instance of the program concerned
depends on whether it is being *used* or *abused*, it would be very
hard for the AV to make that call. It will be interesting to see how this
is handled ~ the time is ripe for this to be decided.

 

[Nick FitzGerald]

Thanks for the reply. I don't know what other I could supply.... I just
got lucky last night when I stumbled across the file and recognized what it
was doing.

To answer other posts in this thread, I'm using Norton 2003 and Nortons
PestPatrol. ...

_Nortons_ PestPatrol???

I suspect the folk at PestPatrol Inc. may have something to say about
that...

... So far nothing has turned up, but I know that's not correct.
Otherwise I would not have any keyboard logging going on... right?

Seems reasonable...

I'm looking further into the w32.benpao.trojan, and trying to verify if
that's the culprit.

Huh -- why?? I see no mention of it having a keylogging component...

If there's anything new I can add, please feel free to ask for it.

What OS do you run??

You could try Systernals' FileMon:

http://www.systernals.com/ntw2k/source/filemon.shtml

It generates truckloads of data, so once installed and running, set a filter
to limit it's information to just the kx.dta file, or that any other files
you are fairly sure are "dubious". Once you find the .EXE file(s) involved
send samples to you preferred AV developers. A list of the suspect file
submission addresses of the better known AV developers is included here to
save you looking them up (I suggest that you send the file(s) to more than
just Symantec...):

Command Software <[email protected]>
Computer Associates (US) <[email protected]>
Computer Associates (Vet/EZ) <[email protected]>
DialogueScience (Dr. Web) <[email protected]>
Eset (NOD32) <[email protected]>
F-Secure Corp. <[email protected]>
Frisk Software (F-PROT) <[email protected]>
Grisoft (AVG) <[email protected]>
H+BEDV (AntiVir): <[email protected]>
Kaspersky Labs <[email protected]>
Network Associates (McAfee) <[email protected]>
Norman (NVC) <[email protected]>
Sophos Plc. <[email protected]>
Symantec (Norton) <[email protected]>
Trend Micro (PC-cillin) <[email protected]>
(Trend may only accept files from registered users of its products)

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

(e-mail address removed) (John Coutts) wrote in

That is true with Windows NT, but not with Windows 2000. With XP,
you have to change the default settings under Advanced Options to
search Hidden and System directories. Even after changing that, I
have found the search engine on XP to be inconsistent. Sometimes
it searches the Internet Explorer cache directories, and sometimes
it doesn't.

Thanks. I'd changed the settings in XP, but did not think to check to
see if it really always looked everywhere. Am DLing Agent Ransack now.