How a malicious help file can install a spyware keylogger

Windows help file malware

Windows help fileDo you think that Windows help file is safe? Think again.

Malware authors can create boobytrapped .HLP files, designed to infect your computer.

Take for instance, the strange .HLP file which was sent to SophosLabs by some of our customers at the end of August.

The file, Amministrazione.hlp (“Amministrazione” is Italian for “Administration”) was an example of how cybercriminals can use social engineering to trick unsuspecting users into infecting their computers.

Details of malicious HLP file

If opened, the help file displays an error message:

Error message from .HLP file

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

In the background, however, a file called Windows Security Center.exe is being dropped onto the computer, which in turn creates a file called RECYCLER.DLL.

Files dropped by malicious HLP file

Since SophosLabs first saw this malware attack we have been writing more generic detections which should help pick up new variants of the attack proactively:

File name Initial Detection Generic Detection
Amministrazione.hlp Troj/HlpDrp-B Mal/HlpDrop-A
Windows Security Center.exe Troj/DarkDrp-A Mal/DarkDrp-A
RECYCLER.DLL Troj/Agent-OVJ Mal/DarkShell-A

The DLL part of the malware attack is the keylogger. It’s partof the DarkShell Trojan that has been tied to GhostNet.

The keylogger component is used to log keystrokes made by the user. These are stored in the following file:

\Documents and Settings\username\Local Settings\Application Data\UserData.dat

(where username is a specific username).

The malware attempts to send this data to images.zyns.com (a domain with a long association with malware).

Stay safe everyone – and remember not to click on .HLP files too readily. They could be harbouring a malware attack.