Initial samples received on:
May 27, 2007
Memory resident: No
File size: 20,992 Bytes
This spyware may arrive as a downloaded file from the Internet, or as a drop file of other malware.
Upon execution, it drops a copy of itself as KSVSVC.EXE in the Windows folder. It also drops a .DLL component KSVSVC.DLL also detected as TSPY_ONLINEG.CTM in the Windows system folder. This .DLL is injected to several processes to ensure that it stays resident in the memory. Afterwards the executable file terminates.
To ensure its automatic execution at every system startup, this spyware creates the following registry entry:
KSVSvc.exe = "%Windows%\KSVSvc.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It monitors the Internet Explorer activities of an affected system. It steals account-related information, such as user names and passwords, used in certain online games. It performs this routine by logging user keystrokes and saving the gathered information in a text file. It then sends the text file to a predetermined email address using its own Simple Mail Transfer Protocol (SMTP) engine.
It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.