Analysis by: Jimelle Monteser

ALIASES:

Monitor.Win32.Dafunk (Kaspersky), MonitoringTool:Win32/SnoopIt (Microsoft), Monitor.Win32.Dafunk (Ikarus)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware may be manually installed by a user.

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

  TECHNICAL DETAILS

File Size: 2,351,355 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 27 Jun 2013

Arrival Details

This spyware may be manually installed by a user.

Installation

This spyware drops the following component file(s):

  • %System Root%\SETUPTMP\setup.exe
  • %System Root%\SETUPTMP\SETUP.LST
  • %System Root%\SETUPTMP\tychicus.CAB
  • %Start Menu%\Programs\Tychicus\Tychicus.LNK
  • %Program Files%\Tychicus\KTKbdHk.dll
  • %Program Files%\Tychicus\Softwrap.dll
  • %Program Files%\Tychicus\ST6UNST.LOG
  • %Program Files%\Tychicus\tychicus.exe
  • %Program Files%\Tychicus\tychicus.sw
  • %Windows%\Setup1.exe
  • %Windows%\ST6UNST.EXE
  • %System%\VB6STKIT.DLL

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

  • %Start Menu%\Programs\Tychicus
  • %System Root%\SETUPTMP
  • %Program Files%\Tychicus

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This spyware adds the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}

HKEY_CLASSES_ROOT\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}

HKEY_CLASSES_ROOT\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Control

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Implemented Categories

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
MiscStatus

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
MiscStatus\1

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
ProgID

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Programmable

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
ToolboxBitmap32

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
TypeLib

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
Version

HKEY_CLASSES_ROOT\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\
VersionIndependentProgID

HKEY_CLASSES_ROOT\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}

HKEY_CLASSES_ROOT\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\
ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\
ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\
TypeLib

HKEY_CLASSES_ROOT\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}

HKEY_CLASSES_ROOT\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\
ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\
ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\
TypeLib

HKEY_CLASSES_ROOT\MSComDlg.CommonDialog

HKEY_CLASSES_ROOT\MSComDlg.CommonDialog.1

HKEY_CLASSES_ROOT\MSComDlg.CommonDialog.1\CLSID

HKEY_CLASSES_ROOT\MSComDlg.CommonDialog\CLSID

HKEY_CLASSES_ROOT\MSComDlg.CommonDialog\CurVer

HKEY_CLASSES_ROOT\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}

HKEY_CLASSES_ROOT\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\
1.2

HKEY_CLASSES_ROOT\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\
1.2\0

HKEY_CLASSES_ROOT\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\
1.2\0\win32

HKEY_CLASSES_ROOT\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\
1.2\FLAGS

HKEY_CLASSES_ROOT\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\
1.2\HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB} H

KEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\
{0DE86A52-2BAA-11CF-A229-00AA003D7352}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\
{40FC6ED5-2438-11CF-A3DB-080036F12502}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\
{7DD95802-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\
1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSComDlg.CommonDialog

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSComDlg.CommonDialog.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSComDlg.CommonDialog.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSComDlg.CommonDialog\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSComDlg.CommonDialog\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
tychicus.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\SharedDlls

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
ST6UNST #1

Dropping Routine

This spyware executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

  SOLUTION

Minimum Scan Engine: 9.300
SSAPI PATTERN File: 1.411.00
SSAPI PATTERN Date: 27 Jun 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and terminate files detected as SPYWARE_KEYL_KEYBOARDLOGGER

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CLASSES_ROOT\CLSID
    • {3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}
  • In HKEY_CLASSES_ROOT\CLSID
    • {7629CFA2-3FE5-101B-A3C9-08002B2F49FB}
  • In HKEY_CLASSES_ROOT\Interface
    • {083039C2-13F4-11D1-8B7E-0000F8754DA1}
  • In HKEY_CLASSES_ROOT\Interface
    • {F9043C87-F6F2-101A-A3C9-08002B2F49FB}
  • In HKEY_CLASSES_ROOT
    • MSComDlg.CommonDialog
  • In HKEY_CLASSES_ROOT\TypeLib
    • {F9043C88-F6F2-101A-A3C9-08002B2F49FB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {7629CFA2-3FE5-101B-A3C9-08002B2F49FB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {F9043C85-F6F2-101A-A3C9-08002B2F49FB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {083039C2-13F4-11D1-8B7E-0000F8754DA1}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {F9043C87-F6F2-101A-A3C9-08002B2F49FB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    • MSComDlg.CommonDialog
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {F9043C88-F6F2-101A-A3C9-08002B2F49FB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
    • tychicus.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    • SharedDlls
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • ST6UNST #1

Step 4

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.  
  • %Start Menu%\Programs\Tychicus
  • %System Root%\SETUPTMP
  • %Program Files%\Tychicus

Step 5

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\Setup1.exe
  • %Windows%\ST6UNST.EXE
  • %System%\VB6STKIT.DLL

Step 6

Scan your computer with your Trend Micro product to delete files detected as SPYWARE_KEYL_KEYBOARDLOGGER. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.