MSIL/Spy.RinLog [Threat Name] go to Threat

MSIL/Spy.RinLog.A [Threat Variant Name]

Category trojan
Size 194560 B
Detection created Jul 06, 2013
Detection database version 10082
Aliases Trojan-Spy.MSIL.KeyLogger.agnk (Kaspersky)
Short description

MSIL/Spy.RinLog.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %startup%\­.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­­SOFTWARE\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "(Default)" = "%startup%\­.exe"
Information stealing

MSIL/Spy.RinLog.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • screenshots
  • user name
  • computer name
  • operating system version
  • amount of operating memory
  • Windows product key

The following programs are affected:

  • Mozilla Firefox

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail. The SMTP protocol is used.

Other information

The trojan blocks execution of some programs.


The following programs are affected:

  • Command Prompt
  • Task Manager
  • Registry Editor
  • Internet Explorer
  • MSN Messenger
  • System Configuration

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDrives" = %systemdrivebitmask%
    • "NoViewOnDrive" = %systemdrivebitmask%
    • "NoClose" = 1
    • "DisallowRun" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­DisallowRun]
    • "10" = "iexplore.exe"
    • "11" = "msnmsgr.exe"
    • "12" = "msconfig.exe"

It can execute the following operations:

  • delete cookies
  • change the home page of web browser
  • display a dialog window
  • visit a specific website
  • download files from a remote computer and/or the Internet
  • run executable files

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.