Počet zobrazení stránky

středa 14. března 2012

not-a-virus:Monitor.Win32.Ardamax.te


Technical Details

This program contains functions that track the user's activity on the computer. It is a Windows application (PE EXE file). It is 525 312 bytes in size. It is written in C++.

Installation

In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<name of executable file without extension> Agent" = "<path to original program body>"

Payload

It adds the following entries to the system registry keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
"DisplayName" = "Ardamax Keylogger 2.9"
"UninstallString" = "<path to directory with program body>\Uninstall.exe"
In the Windows Programs directory it adds a shortcut to its original file:
%ALLUSERSPROFILE%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
This program is designed to track and log user activity. The interface supports 3 languages: Russian, English, and German.
Depending on the settings, it can perform the following actions:
  • Log the user's keystrokes
  • Log chats when the user uses the following instant messaging programs:
    Yahoo Messenger
    ICQ 6
    ICQ Pro
    ICQ Lite
    Skype 3
    Skype
    Windows Messenger
    Qip
    Miranda
    Google Talk
    MSN Messenger
    
  • Keep a log of the clipboard
  • Save screenshots of the active window or entire screen
  • Log visited Internet resources when the following browsers are used:
    Internet Explorer
    Opera
    Mozilla Firefox
    
  • Log characters entered with the input method editor (IME tracking) Collected data is encrypted and saved to files in the program's directory:
    \<name of program without extension>.00<number from 1 to 9>
This data is sent as an HTML page or in an encrypted form, depending on the settings applied. The information gathering method is also specified in the program settings and may be one of the following:
  • Over the local network (receiver's address is specified)
  • To an FTP server
  • To a mailbox, specified in settings
It can operate in "stealth mode". To do so, it can perform the following actions:
  • Hide its icon in the system tree
  • Delete the previously created shortcut to its file from the Windows Programs directory (thereby the program will not be visible in the Start menu)
  • Delete the previously created registry key:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
    "DisplayName" = "Ardamax Keylogger 2.9"
    "UninstallString" = "<path to directory with program body>\Uninstall.exe"
    
  • Assign "hidden" and "system" attributes to the directory with the original body of the program
The log file can be viewed by using another program called Log Viewer, which is available when purchasing the program at the following site:
http://www.ardamax.com
More detailed information for the program can be found at:
http://www.ardamax.com/keylogger/

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
  1. Use Task Manager to terminate the program process.
    The program name and its path can be determined by analyzing the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "<name of executable file without extension> Agent" = "<path to original program body>"
  2. Remove the original Trojan file, the log files, and the shortcut file:
    %ALLUSERSPROFILE%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
    <path to program file>\<name of program without extension>.00<number from 1 to 9>
  3. Delete the following system registry key parameter (see What is a system registry and how do I use it?):
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "<name of executable file without extension> Agent" = "<path to original program body>"
  4. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
  5. Empty the Temporary Internet Files directory:
    %Temporary Internet Files%

Žádné komentáře:

Okomentovat