McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Keylog-Melcarr

This page shows details and results of our analysis on the malware Keylog-Melcarr

Threat Detail

Malware Type: Trojan

Malware Sub-type: Keylogger

Discovery Date: 2004-08-11

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4385 (2004-08-11)

Updated DAT

4385 (2004-08-11)

 Minimum Engine

5.1.00

File Length

43,520

 Description Added

2004-08-11

Description Modified

2004-08-12

Malware Proliferation

Characteristics

This is a trojan that installs itself on the victim's system for the purpose of logging any keys pressed and sending this log to a remote computer.  It possesses it's own SMTP engine and the logged data is sent via email to the attacker.  It may also post this data via HTTP to a remote PHP file.  By doing this, it allows the attacker to grab sensitive information, which may include usernames and passwords. 

Symptoms

Upon execution, the trojan copies itself to the %SysDir% folder under a randomly generated filename and modifies the registry to automatically load itself into memory at the next startup.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "%Random name%" = %Random name%.exe

It creates a file with .DLL extension in the same folder.  This file is not really a DLL but a log file which stores the captured keystrokes made by the user.

The trojan will then send the DLL file to the attacker via email by using it's own SMTP engine.

This trojan will retrieve system information such as OS version, Cached Passwords, Disk Space, Processor Speed and further more will attempt to post this data via HTTP to a remote PHP file .

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

United States - English