English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

not-a-virus:Monitor.Win32.Ardamax.te

Detected Aug 09 2010 01:02 GMT
Released Aug 09 2010 17:22 GMT
Published Oct 25 2010 14:08 GMT

Technical Details
Payload
Removal instructions

Technical Details

This program contains functions that track the user's activity on the computer. It is a Windows application (PE EXE file). It is 525 312 bytes in size. It is written in C++.

Installation

In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<name of executable file without extension> Agent" = "<path to original program body>"


Payload

It adds the following entries to the system registry keys:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
"DisplayName" = "Ardamax Keylogger 2.9"
"UninstallString" = "<path to directory with program body>\Uninstall.exe"
In the Windows Programs directory it adds a shortcut to its original file:
%ALLUSERSPROFILE%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
This program is designed to track and log user activity. The interface supports 3 languages: Russian, English, and German.

Depending on the settings, it can perform the following actions:

  • Log the user's keystrokes
  • Log chats when the user uses the following instant messaging programs:
    Yahoo Messenger
    ICQ 6
    ICQ Pro
    ICQ Lite
    Skype 3
    Skype
    Windows Messenger
    Qip
    Miranda
    Google Talk
    MSN Messenger
    
  • Keep a log of the clipboard
  • Save screenshots of the active window or entire screen
  • Log visited Internet resources when the following browsers are used:
    Internet Explorer
    Opera
    Mozilla Firefox
    
  • Log characters entered with the input method editor (IME tracking) Collected data is encrypted and saved to files in the program's directory:
    \<name of program without extension>.00<number from 1 to 9>

This data is sent as an HTML page or in an encrypted form, depending on the settings applied. The information gathering method is also specified in the program settings and may be one of the following:

  • Over the local network (receiver's address is specified)
  • To an FTP server
  • To a mailbox, specified in settings

It can operate in "stealth mode". To do so, it can perform the following actions:

  • Hide its icon in the system tree
  • Delete the previously created shortcut to its file from the Windows Programs directory (thereby the program will not be visible in the Start menu)
  • Delete the previously created registry key:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
    "DisplayName" = "Ardamax Keylogger 2.9"
    "UninstallString" = "<path to directory with program body>\Uninstall.exe"
    
  • Assign "hidden" and "system" attributes to the directory with the original body of the program

The log file can be viewed by using another program called Log Viewer, which is available when purchasing the program at the following site:

http://www.ardamax.com
More detailed information for the program can be found at:
http://www.ardamax.com/keylogger/


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the program process.
    The program name and its path can be determined by analyzing the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "<name of executable file without extension> Agent" = "<path to original program body>"
  2. Remove the original Trojan file, the log files, and the shortcut file:
    %ALLUSERSPROFILE%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
    <path to program file>\<name of program without extension>.00<number from 1 to 9>
  3. Delete the following system registry key parameter (see What is a system registry and how do I use it?):
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "<name of executable file without extension> Agent" = "<path to original program body>"
  4. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
  5. Empty the Temporary Internet Files directory:
    %Temporary Internet Files%
  6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


md5: 0C7A714B8E1D2EAD2AFC90DCC43BBE18
sha1: 66736613F22771F5DA5606ED8C80B572B3F5C103


Bookmark and Share
Share
Monitor

Programs of this type are able to monitor computer activity (active processes, network activity, etc.) and are not malicious programs. However, these actions may be performed with malicious intent.

If a user has installed such a program on his/her computer, or if it was installed by a system administrator, then it does not pose any threat.


Aliases

not-a-virus:Monitor.Win32.Ardamax.te (Kaspersky Lab) is also known as:

  • Virus: W32/Autorun.worm.f (McAfee)
  • Mal/Drpr-B (Sophos)
  • Heuristics.Broken.Executable (ClamAV)
  • Trj/Autoit.gen (Panda)
  • Application/Ardamax (Panda)
  • Worm:Win32/Nuqel.Z (MS(OneCare))
  • Program.Ardamax (DrWeb)
  • Win32.Worm.AutoIt.EG (BitDef7)
  • Trojan.Generic.6942921 (BitDef7)
  • TrojanSpy.Ardamax.WQ (VirusBuster)
  • Trojan-Spy.Ardamax.J (Ikarus)
  • Worm.Win32.AutoIt (Ikarus)
  • Ardamax.APU (AVG)
  • Luhe.Fiha.A (AVG)
  • TR/Spy.Ardamax.J (AVIRA)
  • TR/Dropper.Gen (AVIRA)
  • W32/Obfuscated.D!genr (Norman)
  • Trojan.Spy.Win32.Ardamax.dlm (Rising)
  • Trojan.Generic.6942921 [Aquarius] (FSecure)
  • WORM_SOHAND.SM (TrendMicro)
  • Trojan.Win32.Generic!SB.0 (Sunbelt)
  • TrojanSpy.Ardamax.WQ (VirusBusterBeta)
  • W32/SOHAND.SM!worm (Fortinet)
  • Trojan.Generic.6942921 (GData)
  • Win32.Worm.AutoIt.EG (GData)