Spyware.MDetect

Spyware.MDetect

Updated:
August 09, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Spyware.MDetect is a security risk that can monitor and log IM conversations that take place over the local network.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 29, 2018 revision 018
  • Initial Daily Certified version August 09, 2006
  • Latest Daily Certified version March 29, 2018 revision 032
  • Initial Weekly Certified release date August 09, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Spyware.MDetect is a security risk that can monitor and log IM conversations that take place over the local network.

When the security risk is executed, it creates the following files:
%UserProfile%\Start Menu\Programs\Messenger Detect\Messenger Detect.lnk
%UserProfile%\Start Menu\Programs\Messenger Detect\Uninstall.lnk
%UserProfile%\Start Menu\Programs\Messenger Detect\User manual.lnk
%ProgramFiles%\Messenger Detect\emotions\*.bmp
%ProgramFiles%\Messenger Detect\emotions\list.txt
%ProgramFiles%\Messenger Detect\ErrorLog.txt
%ProgramFiles%\Messenger Detect\mdetect.chm
%ProgramFiles%\Messenger Detect\MessengerDetect.exe
%ProgramFiles%\Messenger Detect\Uninstall.exe
%ProgramFiles%\Messenger Detect\User\Device.cfg
%ProgramFiles%\Messenger Detect\User\msnlog.cfg
%ProgramFiles%\Messenger Detect\User\user.sav

The risk will also install WinPcap if it is not already installed on the system.

Note: WinPcap is a network packet capture utility that may be used by legitimate applications.

Next, the risk creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Messenger Detect
HKEY_LOCAL_MACHINE\SOFTWARE\Messenger Detect

The risk will also then add the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"YSUsed_1MD" = "[RANDOM BINARY NUMBER]"

Spyware.MDetect can log all IM traffic from a number of well known IM clients. This security risk does not need to be installed on monitored computers, it just needs to be installed on a machine in the LAN and it will listen to network traffic in promiscuous mode in order to perform logging and blocking actions.