LttLogger 2.0
(Trojan-Spy.Win32.Delf.eq)

by LttCoder

Written in Delphi, Server compressed with FSG

Released in March 2005

more versions 


Description:
-----------
LttLogger is a little keylogger that logs all the keys pressed on your keyboard and saves it to a file inside WINDOWS/ folder. When the file reaches ybytes (which you specify in editserver) it will automatically upload the logfile to a ftp server you specify.

-DLL injection (firwall bypass)
-Server size 16,7 kb fsg packed
-melt function
-J3n7il's editserver encryption


What's new in 2.0?
-check if FTP server is online, and only upload/reset logfile ONLY when it is online.
-Log file is now hidden and cannot be seen by a normal user.
-Finds the default internet browser and injects to it, instead of only injecting into iexplore. 
-keylogger can save the logfiles in different directories on the ftp server. 
-the name of the dll file that keylogger uses can now be changed from editserver.
-Multi-Infect protection.
-Disables system restore.
-more startup methods(Including Activex and the secret methods from SUB7)
-create each directory for every victim in order by computername
-PHP notification added


LttCoder


Server:
dropped files:
c:\WINDOWS\4DFlowerBox.scr          size: 17,197 bytes 
c:\WINDOWS\cht.pol                  size: 36 bytes 
c:\WINDOWS\mseiw.exe                size: 17,197 bytes 
c:\WINDOWS\syxsocks.dll             size: 18,944 bytes 
c:\WINDOWS\system32\fontstyles.exe  size: 17,197 bytes 

changes to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
old data: Explorer.exe 
new data: explorer.exe 4DFlowerBox.scr 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "System"
old data: 
new data: C:\WINDOWS\System32\fontstyles.exe 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
old data: 
new data: mseiw.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders "Common Startup"
old data: %ALLUSERSPROFILE%\Start Menu\Programs\Startup 
new data: C:\WINDOWS\System32\webdav 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "run"
data: mseiw.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515} "StubPath"
data: C:\WINDOWS\mseiw.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "msiew"
data: C:\Documents and Settings\Kobayashi\Desktop\LttLogger2.0\server.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "msiew"
data: C:\WINDOWS\mseiw.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices "msiew"
data: C:\WINDOWS\mseiw.exe 



tested on Windows XP
March 21, 2005
MegaSecurity