Internet threat level: 1
Home→Descriptions→not-a-virus:Monitor.Win32.Ardamax.te
not-a-virus:Monitor.Win32.Ardamax.te
| Detected | Aug 09 2010 01:02 GMT |
| Released | Aug 09 2010 17:22 GMT |
| Published | Oct 25 2010 14:08 GMT |
Payload
Removal instructions
Technical Details
This program contains functions that track the user's activity on the computer. It is a Windows application (PE EXE file). It is 525 312 bytes in size. It is written in C++.
Installation
In order to ensure that it is launched automatically each time the system is rebooted, it adds a link to its executable file in the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "<name of executable file without extension> Agent" = "<path to original program body>"
Payload
It adds the following entries to the system registry keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger] "DisplayName" = "Ardamax Keylogger 2.9" "UninstallString" = "<path to directory with program body>\Uninstall.exe"In the Windows Programs directory it adds a shortcut to its original file:
%ALLUSERSPROFILE%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnkThis program is designed to track and log user activity. The interface supports 3 languages: Russian, English, and German.
Depending on the settings, it can perform the following actions:
- Log the user's keystrokes
- Log chats when the user uses the following instant messaging programs:
Yahoo Messenger ICQ 6 ICQ Pro ICQ Lite Skype 3 Skype Windows Messenger Qip Miranda Google Talk MSN Messenger
- Keep a log of the clipboard
- Save screenshots of the active window or entire screen
- Log visited Internet resources when the following browsers are used:
Internet Explorer Opera Mozilla Firefox
- Log characters entered with the input method editor (IME tracking)
Collected data is encrypted and saved to files in the program's directory:
\<name of program without extension>.00<number from 1 to 9>
This data is sent as an HTML page or in an encrypted form, depending on the settings applied. The information gathering method is also specified in the program settings and may be one of the following:
- Over the local network (receiver's address is specified)
- To an FTP server
- To a mailbox, specified in settings
It can operate in "stealth mode". To do so, it can perform the following actions:
- Hide its icon in the system tree
- Delete the previously created shortcut to its file from the Windows Programs directory (thereby the program will not be visible in the Start menu)
- Delete the previously created registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger] "DisplayName" = "Ardamax Keylogger 2.9" "UninstallString" = "<path to directory with program body>\Uninstall.exe"
- Assign "hidden" and "system" attributes to the directory with the original body of the program
The log file can be viewed by using another program called Log Viewer, which is available when purchasing the program at the following site:
http://www.ardamax.comMore detailed information for the program can be found at:
http://www.ardamax.com/keylogger/
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the program process.
The program name and its path can be determined by analyzing the following system registry key (see What is a system registry and how do I use it?):[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "<name of executable file without extension> Agent" = "<path to original program body>"
- Remove the original Trojan file, the log files, and the shortcut file:
%ALLUSERSPROFILE%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk <path to program file>\<name of program without extension>.00<number from 1 to 9>
- Delete the following system registry key parameter (see What is a system registry and how do I use it?):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "<name of executable file without extension> Agent" = "<path to original program body>"
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
- Empty the Temporary Internet Files directory:
%Temporary Internet Files%
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
md5: 0C7A714B8E1D2EAD2AFC90DCC43BBE18
sha1: 66736613F22771F5DA5606ED8C80B572B3F5C103
Programs of this type are able to monitor computer activity (active processes, network activity, etc.) and are not malicious programs. However, these actions may be performed with malicious intent.
If a user has installed such a program on his/her computer, or if it was installed by a system administrator, then it does not pose any threat.
not-a-virus:
- Virus:
W32/Autorun. worm. f (McAfee) - Mal/Drpr-B (Sophos)
- Heuristics.
Broken. Executable (ClamAV) - Trj/Autoit.
gen (Panda) - Application/Ardamax (Panda)
- Worm:
Win32/Nuqel. Z (MS(OneCare)) - Program.
Ardamax (DrWeb) - Win32.
Worm. AutoIt. EG (BitDef7) - Trojan.
Generic. 6942921 (BitDef7) - TrojanSpy.
Ardamax. WQ (VirusBuster) - Trojan-Spy.
Ardamax. J (Ikarus) - Worm.
Win32. AutoIt (Ikarus) - Ardamax.
APU (AVG) - Luhe.
Fiha. A (AVG) - TR/Spy.
Ardamax. J (AVIRA) - TR/Dropper.
Gen (AVIRA) - W32/Obfuscated.
D!genr (Norman) - Trojan.
Spy. Win32. Ardamax. dlm (Rising) - Trojan.
Generic. 6942921 [Aquarius] (FSecure) - WORM_SOHAND.
SM (TrendMicro) - Trojan.
Win32. Generic!SB. 0 (Sunbelt) - TrojanSpy.
Ardamax. WQ (VirusBusterBeta) - W32/SOHAND.
SM!worm (Fortinet) - Trojan.
Generic. 6942921 (GData) - Win32.
Worm. AutoIt. EG (GData)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.