||||
Symantec.com > Security Response > Threats and Risks > Spyware.MiniKeylogger
PRINT THIS PAGE

Spyware.MiniKeylogger

Printer Friendly Page

Updated: February 13, 2007 11:48:19 AM
Type: Spyware
Risk Impact: High
File Names: MiniKeylogger.exe Mklmon32.exe Mlkmon32.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.MiniKeylogger is installed, it performs the following actions:
  1. Presents a GUI for the initial configuration. When this risk is installed, it presents a GUI for the initial configuration. This GUI may be used to run the risk in the background, so the risk will continue to run after the GUI is closed. In other words, the risk can run in stealth mode.

    The risk may also be configured to monitor the following Windows events:

    • Windows activities (open, close, shutdown, startup)
    • Mouse activities
    • Keystrokes
    • Clipboard content
    • Power status
    • File operations
    • Dial up activities
    • Internet Explorer activities
    • User account activities

  2. Creates the following files:

    • %Windir%\mklws.ini
    • %Windir%\pcasav.ini
    • %System%\mkls.dat
    • %System%\pcamon32.dat
    • %System%\mklmon32.exe
    • %System%\mklmon32.dll
    • %System%\mklmon10.dll
    • %System%\pcamon32.exe
    • %System%\pcamon32.dll
    • %System%\pcamon10.dll
    • %System%\pcamon20.dll

      Notes:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Creates the following folders:

    • %System%\mkldat
    • %System%\pcadat

  4. Creates the following services:

    • Mklmonservice
    • Pcamonservice

  5. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pca
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pcamon
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCAMONSERVICE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCAMONSERVICE

  6. Adds the value:

    "" = "pcamon"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pca

  7. Loads the following driver, when stealth mode is activated, and uses it to hide its process and service:

    mchinjdrv.sys

    Note: The spyware is developed in two different versions, named MiniKeyLogger and PcAgent. Installed files, directories and registry keys vary depending on the version of the spyware.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS