January 25, 2011

TSPY_ARDAMAX.HR

This is the additional infection that infects as a result of exploit HTML_SHELLCOD.SM which will be as a result of IE vulnerability. It steals information and sends it to FTP servers from where some malicious codes that run multiple routines on the infected systems. It logs keystrokes and accesses certain sites and chat logs, which further compromises a user’s privacy.
1) It is found by the following files on the system in the folders C:\Windows\System32 and C:\Documents and Settings\user name\Local Settings\Temp with the following filenames:


  • SKOE.001
  • SKOE.002
  • SKOE.006
  • SKOE.007
  • SKOE.EXE and
  • @3A.tmp
  • @3B.tmp
  • mrt3C.tmp\bigbox.mfx
  • \mrt3C.tmp\ctrlx.mfx
  • \mrt3C.tmp\Download.mfx
  • \mrt3C.tmp\kccda.mfx
  • \mrt3C.tmp\kcclip.mfx
  • \mrt3C.tmp\KcClkBlk.mfx
  • \mrt3C.tmp\KcCursor.mfx
  • \mrt3C.tmp\kcfile.mfx
  • \mrt3C.tmp\kcpop.mfx
  • \mrt3C.tmp\mmfs2.dll
  • \mrt3C.tmp\stdrt.exe
  • \TIBIA_MOD
  • \TIBIA_MOD.EXE
2) It creates following registry entry to enable its auto execution
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SKOE Agent = "%System%\28463\SKOE.exe"


3) It creates following registry keys in HKey_Classes_Root under Interface folder in the folder {03022430-ABC4-11D0-BDE2-00AA001A1953} with the names
  • (Default) = "IAccessibleHandler"
  • (Default) = "{{malware name}}"
  • (Default) = "{{malware name}}"
  • (Default) = "{{malware name}}"
  • Version = "1.1
  • 1.1(Default) = "Accessibility"

and under TypeLib Folder with the folder name {1EA4DBF0-3C3B-11CF-810C-00AA00389B71}with the files
  • 1.1(Default) = "Accessibility"
  • 1.1\0\win32(Default) = "%System%\oleacc.dll"
  • 1.1\FLAGS(Default) = "4"
  • 1.1\HELPDIR(Default) = "%Windows%\System32"

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More