How a malicious help file can install a spyware keylogger

According to a research done by SOPHOS malware analysis team. hackers are using windows help file (.HLP) to infect victims computer.
Malware authors can create BODYTRAPPED .HLP files that will infect your computer with a keylogger.
The below screeenshot presents an example how a cyber criminal can use Social Engineering to trick unsuspecting users into infecting their computers.

Administrator.hlp file
Administrator.hlp file

If the victim will open this file he will receive this error message:

Error after opening HLP file
Error after opening HLP file

"Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)"

However in the background a file called Windows Security Center will be dropped on to computer which in turn creates a file called RECYLER.DLL.

Files Associated with this threat.
Files Associated with this threat.
 Recycler.dll file is a keylogger which stores your keystroke in following file:
\Documents and Settings\username\Local Settings\Application Data\UserData.dat

The Malware attempts to send this data to

So Stay safe- Do not click on HLP files without verifying the source of the file.


Read about How to find hidden files on your computer without changing the folder properties here