Submission Summary:

• Submission details:
• Submission received: 17 January 2010, 11:35:05
• Processing time: 8 min 35 sec
• Submitted sample:
• File MD5: 0x0C7A714B8E1D2EAD2AFC90DCC43BBE18
• File SHA-1: 0x66736613F22771F5DA5606ED8C80B572B3F5C103
• Filesize: 525,312 bytes
• Alias:
• Application.Ardamax!ct [PCTools]
• Spyware.Ardakey [Symantec]
• not-a-virus:Monitor.Win32.Ardamax.ae [Kaspersky Lab]
• Keylog-Ardamax.dll [McAfee]
• MonitoringTool:Win32/Ardamax [Microsoft]
• Win-Trojan/Xema.variant [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Application.Ardamax_Keylogger	Ardamax Keylogger is a keystroke recorder that captures user's activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer.
Application.Ardamax!ct	Application.Ardamax!ct is a 100% legitimate application. Under certain circumstances, however, some people may find it undesirable.

• Attention! The following threat category was identified:

Threat Category	Description
	A spyware program that represents security risk for a local system

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Ardamax Keylogger\Ardamax Keylogger.lnk	654 bytes	MD5: 0xA3BA50403E05F4FB527C0685BF10AE38 SHA-1: 0x79662D27C8448B90DE5E563927BEE765B00DF676	(not available)
2	%System%\[filename of the sample #1 without extension].001	2,596 bytes	MD5: 0xE6556A30989FAB19533FB98E065EBB3E SHA-1: 0xEF8EF97197D2A7407A3C72A95C36BAF84CA7ECA1	(not available)
3	[file and pathname of the sample #1]	525,312 bytes	MD5: 0x0C7A714B8E1D2EAD2AFC90DCC43BBE18 SHA-1: 0x66736613F22771F5DA5606ED8C80B572B3F5C103	Application.Ardamax!ct [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.ae [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] Win-Trojan/Xema.variant [AhnLab]

• Notes:
• %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

• The following directory was created:
• %CommonPrograms%\Ardamax Keylogger

Memory Modifications

• There was a new process created in the system:

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• [filename of the sample #1 without extension] Agent = "[file and pathname of the sample #1]"

so that [file and pathname of the sample #1] runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
• DisplayName = "Ardamax Keylogger 2.9"
• UninstallString = "%System%\Uninstall.exe"

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Germany