Home / malware MonitoringTool:Win32/Ardamax
First posted on 15 February 2019.
Source: MicrosoftAliases :
MonitoringTool:Win32/Ardamax is also known as Win-Trojan/Ardamax.404480, W32/Ardamax.G, Potentially Harmful program Ardamax.MN, Win32/KeyLogger.Ardamax, not-a-virus:Monitor.Win32.Ardamax.w, Ardamax.Keylogger, Spyware.Ardakey, RiskWare.Ardamaxview.A.
Explanation :
Installation
The tool can be installed from a product website. It might install the following files:
%APPDATA%SMDQDKIJE.exe %ProgramFiles%ardamax keyloggerakv.exe %ProgramFiles%KWOSGAQXI.exe
The tool can also be configured to run in a hidden mode, which completely hides it from the Task Manager and the Programs menu.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "QXI Start"
With data: "%ProgramData%KWOSGAQXI"
It might also add itself as an entry in the "Add or Remove Programs" page.
Behavior
Steals your information
The tool can capture or record information about what you are doing on your PC without you knowing it. It can:
Log and record what you type on your keyboard, such as user names and passwords Periodically take pictures with your webcam Take screen shots Intercept and keep a record of communications in chat rooms and instant messengers like AIM, Windows Live Messenger, ICQ, Skype, Yahoo Messenger, Google Talk, Miranda, and QiP Record what you copy to the clipboard Record the websites you visit Track what programs you run and other things that you do on your PC
This threat can also send the stolen information to an email address, or over an FTP connection that is specified when the tool is installed.
A user can run the tool on the PC by clicking on a desktop shortcut, or it can automatically run whenever the PC starts. It might appear in the task bar icon tray. However, if it is running in hidden mode, you might not see an icon in the task bar, on the desktop, or in the Start menu or Start screen.
Additional information
We have seen the following malware use Ardamax to steal data:
PWS:MSIL/Petun.A Backdoor:MSIL/Bladabindi Worm:Win32/Nuqel
Analysis by Mihai CalotaLast update 15 February 2019