KeySave
(Trojan-Spy.Win32.KeySave)

by Ayan Chakrabarti

Released in August 2001


KeySave

Features
-=-=-=-=

* Logs all keys pressed by user along with key combinations.
* Once installed, KeySave is completely invisible. It does not show any
  message while starting up. In Win 9x, it is even invisible in the
  <ALT+CTRL+DEL> list.
* Besides keys, it also logs the caption of the foreground windows in which
  keys are being typed.
* KeySave has a SMTP module which can be used to mail log files to a specific
  e-mail address every time the computer is online.
* KeySave comes with a QuickInstall maker which creates standalone .exes that
  are able to install KeySave on a system without any user interaction.
* KeySave is also very small. KBDLOG.EXE is only 27K while the QuickInstall
  .exes that are created are just over 50K.
* KeySave is completely FREE !!


Installing KeySave
-=-=-=-=-=-=-=-=-=

To install KeySave on a machine you must have the following two files
        - install.exe
        - kbdlog.exe

Run install.exe which will ask you the following questions -

- Enter filename (including .exe extension) for storing KeySave:

The KeySave executable is stored in your windows directory with the
filename that you type in here. For example, if your windows directory
is C:\Windows and you want the KeySave executable to be stored as
C:\Windows\abcd.exe then you should type in abcd.exe in response to
this question.

- Do you want log files to be sent by email ? <y/n>

You can make KeySave send log files via email whenever the machine
goes online. Type in y here to activate this feature. The following
three questions are asked to you only if you have typed y here.

- SMTP Host Address:
- From Address:
- Send Mail To:

This is the info required by KeySave to send the log files via email.
Please note that KeySave does not support those SMTP servers that
require POP Authentication.

Following this, KeySave is installed on your system and you are asked
whether you want to start the keylogger. If you don't want the keylogger
to run until the next reboot, type n here otherwise type y.

Please note - Running kbdlog.exe directly will start the keylogger
itself. However it will not be installed on your system, ie. it will not 
run every time you start-up. Also, log files will not be mailed automatically.


Making a QuickInstaller
-=-=-=-=-=-=-=-=-=-=-=-

A quick installer is a stand alone exe that contains the kbdlog.exe file as
well as installation options within itself and can install KeySave without
any user interaction required.

To make a quick installer, simple run QINST.EXE, which is present in the
QINST subdirectory. Also ensure that the file QINST.MOD is in the same
directory. Give the filename for the output .exe as well as the installation
options which you do during normal installation. QINST.EXE will then create
the QuickInstaller file. Now the file created can be taken to and run on any
machine to install KeySave with the inputted options.

Please note that RUNNING QINST.EXE DOES NOT BY ITSELF INSTALL KEYSAVE ON
THE MACHINE. The generated exe has to be run to install KeySave. Also, the
exe file created by QINST.EXE is standalone and does not require any other
file to install KeySave.


Uninstalling KeySave
-=-=-=-=-=-=-=-=-=-=

You must know what filename you entered during install for storing the KeySave
exe. The KeySave exe will be stored in your windows directory under that
name.

        1. Remove the reference to the KeySave exe (with full path) from the
           [windows] section and "run" key of your WIN.INI file.
        2. Reboot your machine.
        3. Delete the KeySave exe from your windows directory. Also if you
           want to remove the logs, they are stored in a subdirectory called
           KBDLOG in your windows directory.


Using KeySave
-=-=-=-=-=-=-

KeySave logs keys to a file called LOGFILE.KEY in the KBDLOG subdirectory
of your windows directory. If your windows directory is C:\Windows, the
full path to LOGFILE.KEY is "C:\Windows\KBDLOG\LOGFILE.KEY".

The LOGFILE.KEY file is renamed to a MLQxxxx.MQU file every day and logging
continues in a new LOGFILE.KEY. The xxxx represents a sequence number. If
you have log file emailing enabled, the MLQxxxx.MQU files are sent by email
and then deleted to prevent them from taking up too much disk space.

Whether you get the MLQxxxx.MQU files via email or access them directly from
your system, you need to use READDATA to view these files. READDATA has two
kinds of output modes, c for console output and t for output which can be
redirected to a file.

        eg)     readdata c c:\windows\kbdlog\mlq0001.mqu
                readdata t c:\windows\kbdlog\mlq0001.mqu > klog.txt

The first statement will display the logs in a coloured format on the screen
while the second will redirect it to a file called klog.txt

When showing console output, you can go to a previous screen by pressing the
'<' key.

Ayan Chakrabarti


Server:
c:\WINDOWS\xxxx.exe 

Size: 27.136 bytes 
     
startup:
c:\windows\win.ini, [windows] "run" 

MegaSecurity