Home / malwarePDF  

TrojanSpy:Win32/Ardamax.BF


First posted on 11 April 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Ardamax.BF is also known as Win-Trojan/Ardamax.14848.B (AhnLab), TR/Spy.Ardamax.cko (Avira), Trojan.DownLoad.1726 (Dr.Web), Trojan-Spy.Win32.Ardamax.e (Kaspersky), Keylog-Ardamax.dr.gen (McAfee), MonitoringTool:Win32/Ardamax (other), Trojan.Spy.Win32.Ardamax.e (Rising AV), Ardamax Installer (Sophos), TSPY_ARDAMAX.E (Trend Micro), Trojan.DR.Ardamax.Gen.3 (VirusBuster).

Explanation :

TrojanSpy:Win32/Ardamax.BF is a key logger that is configured to capture and save user activity to a log file. Win32/Ardamax could be configured by a malware author to send the log file to a specified address.


Top

TrojanSpy:Win32/Ardamax.BF is a key logger that is configured to capture and save user activity to a log file. Win32/Ardamax could be configured by a malware author to send the log file to a specified address.



Installation

The installer for TrojanSpy:Win32/Ardamax.BF may be distributed as a file with an enticing name, or as a file attached to a spammed email, for example:

From: (spoofed sender)
To: (recipient)
Subject: Re: Hi Allana check out my Photos
Attachment: photos.zip (photos.exe)
Hi Allana
I sent you some pictures, just click on the Zip file it should open then click on photos..
Tell me what you think of my photos
Sian x



This malware may be present as a file name that varies among iterations of the trojan. The following are examples of files created when the trojan is executed:

%windir%\system32 <character string>.001 (example: "system32jgii.001")
%windir%\system32<character string>.006
%windir%\system32<character string>.007
%windir%\system32<character string>.exe (example: "systemakv.exe")
%windir%\system.ini

Win32/Ardamax can be configured to hide the display of the following, which could have been used to indicate its presence on an affected computer:

  • System tray icon
  • Ardamax process
  • Shortcuts in the Start menu
  • Listing in Add/Remove Programs
  • Win32/Ardamax program installation folder


Payload

Captures user information

The Ardamax key logger can be configured by an attacker to capture the following types of data to a log file:

  • User-entered data via the keyboard
  • Web browsing history
  • Internet chat content
  • Application usage
  • Periodic screen shots
  • Periodic webcam shots


Win32/Ardamax can be configured to send the captured data to the following specified destinations:

  • Email address via SMTP
  • FTP server
  • A network connected computer




Analysis by Edgardo Diaz

Last update 11 April 2012

 

TOP

Malware :

Family: