TSPY_ARDAMAX.HR

This is the additional infection that infects as a result of exploit HTML_SHELLCOD.SM which will be as a result of IE vulnerability. It steals information and sends it to FTP servers from where some malicious codes that run multiple routines on the infected systems. It logs keystrokes and accesses certain sites and chat logs, which further compromises a user’s privacy.
1) It is found by the following files on the system in the folders C:\Windows\System32 and C:\Documents and Settings\user name\Local Settings\Temp with the following filenames:

• SKOE.001
• SKOE.002
• SKOE.006
• SKOE.007
• SKOE.EXE and
• @3A.tmp
• @3B.tmp
• mrt3C.tmp\bigbox.mfx
• \mrt3C.tmp\ctrlx.mfx
• \mrt3C.tmp\Download.mfx
• \mrt3C.tmp\kccda.mfx
• \mrt3C.tmp\kcclip.mfx
• \mrt3C.tmp\KcClkBlk.mfx
• \mrt3C.tmp\KcCursor.mfx
• \mrt3C.tmp\kcfile.mfx
• \mrt3C.tmp\kcpop.mfx
• \mrt3C.tmp\mmfs2.dll
• \mrt3C.tmp\stdrt.exe
• \TIBIA_MOD
• \TIBIA_MOD.EXE

2) It creates following registry entry to enable its auto execution
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SKOE Agent = "%System%\28463\SKOE.exe"


3) It creates following registry keys in HKey_Classes_Root under Interface folder in the folder {03022430-ABC4-11D0-BDE2-00AA001A1953} with the names

• (Default) = "IAccessibleHandler"
• (Default) = "{{malware name}}"
• (Default) = "{{malware name}}"
• (Default) = "{{malware name}}"
• Version = "1.1
• 1.1(Default) = "Accessibility"

and under TypeLib Folder with the folder name {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}with the files

• 1.1(Default) = "Accessibility"
• 1.1\0\win32(Default) = "%System%\oleacc.dll"
• 1.1\FLAGS(Default) = "4"
• 1.1\HELPDIR(Default) = "%Windows%\System32"

Posted in: Key loggers,PC Support,Technical Support,TechSupp 247,Trojan,TSPY_ARDAMAX.HR