Submission Summary:

• Submission details:
• Submission received: 8 January 2012, 17:09:19
• Processing time: 9 min 46 sec
• Submitted sample:
• File MD5: 0x75717B28ABAA7C75B3C9BB6F4C033325
• File SHA-1: 0x927299131F342C4DD117B0A7671CE5551BBD2DE7
• Filesize: 1,703,458 bytes
• Alias:
• Application.Ardamax_Keylogger [PCTools]
• Spyware.Ardakey [Symantec]
• Trojan-Spy.Win32.Ardamax.cko [Kaspersky Lab]
• Spy-Agent.cv [McAfee]
• TSPY_ARDAMAX.HR [Trend Micro]
• TrojanSpy:Win32/Ardamax.BB [Microsoft]
• Trojan-Spy.Win32.Ardamax [Ikarus]
• Dropper/Downloader.817294 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A spyware program that represents security risk for a local system
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\system32.exe %Temp%\LoL Bot v2.0(2).exe	1,821,696 bytes	MD5: 0x72D066B1E29174C779EE3989365371D1 SHA-1: 0xF970DA65FAA7E1B2044EA233DED1E1D9807D0F80	Trojan.Gen [PCTools] Trojan.Gen.2 [Symantec] Trojan-Spy.MSIL.Zbot.avk [Kaspersky Lab] Mal/MSIL-BZ [Sophos] VirTool:MSIL/Injector.J [Microsoft] Trojan-Spy.MSIL [Ikarus] Win-Trojan/Lmirhack.1821696 [AhnLab]
2	%Temp%\@2.tmp	2,924,574 bytes	MD5: 0x15A65A9BCC40FEB4575ECAC77E346B0E SHA-1: 0x52031B4A315D6F20FEBD5AE4D30C2BEC277258FA	(not available)
3	%Temp%\dw.log	228 bytes	MD5: 0x4FB87A090D434D6744B7590B9BFA160B SHA-1: 0xA9C0050F87BC673EEB2E7719E018408DB4493C2C	(not available)
4	%System%\28463\AKV.exe	468,480 bytes	MD5: 0x752E814C2A5D197B8065501E786683C9 SHA-1: 0xC7B5840AB79EC308D0ACA9A8F07D59730B31AD99	Application.Ardamax_Keylogger [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.va [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] Mal/Generic-L [Sophos] MonitoringTool:Win32/Ardamax [Microsoft] Trojan.Generic [Ikarus]
5	%System%\28463\KNCG.001	442 bytes	MD5: 0xD50C950B87C88A89C18B9F73E01A11D3 SHA-1: 0xB2161A5FB8264CE27F073417C22E8CBB9A4F8C17	(not available)
6	%System%\28463\KNCG.002	1,008 bytes	MD5: 0x80F23F34195F18E243CC23A5C0407306 SHA-1: 0x0B1B85E01906720A0A77C9E707FEDCF6B196E4C2	(not available)
7	%System%\28463\KNCG.006	8,192 bytes	MD5: 0x911A5A213762001178A48B2CEEFA1880 SHA-1: 0xDE9B25AC58E893397AB9AD3331BD922BBD5043AE	Spyware.Ardakey!sd6 [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.mh [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] MonitoringTool [Ikarus]
8	%System%\28463\KNCG.007	5,632 bytes	MD5: 0x2183E6A435B000FC6E85B712513C3480 SHA-1: 0xC088B82494AAECA23A5ACFAF83F55597BD0BDC6E	Spyware.Ardakey!sd6 [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.o [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] Virus.Win32.Ardamax.GG [Ikarus]
9	%System%\28463\KNCG.exe	616,960 bytes	MD5: 0x8459B0BA642D016C60571A3AD31E6EC8 SHA-1: 0x19A7F23F7EEE39ED4217EC44EF46B899EABC32C2	Spyware.Ardakey!rem [PCTools] Spyware.Ardakey [Symantec] Trojan-Spy.Win32.Ardamax.rzx [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] Trojan-Spy.Win32.Ardamax [Ikarus] Win-Trojan/Ardamax.616960 [AhnLab]
10	[file and pathname of the sample #1]	1,703,458 bytes	MD5: 0x75717B28ABAA7C75B3C9BB6F4C033325 SHA-1: 0x927299131F342C4DD117B0A7671CE5551BBD2DE7	Application.Ardamax_Keylogger [PCTools] Spyware.Ardakey [Symantec] Trojan-Spy.Win32.Ardamax.cko [Kaspersky Lab] Spy-Agent.cv [McAfee] TSPY_ARDAMAX.HR [Trend Micro] TrojanSpy:Win32/Ardamax.BB [Microsoft] Trojan-Spy.Win32.Ardamax [Ikarus] Dropper/Downloader.817294 [AhnLab]
11	%Windir%\Temp\moof32.exe	1,140,920 bytes	MD5: 0x2C1E2BC0384BA3C12534E92223CB039F SHA-1: 0x258CBE81CB972334A28E0939B512233AB3A284E6	(not available)

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following directory was created:
• %System%\28463

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
KNCG.exe	%System%\28463\KNCG.exe	962,560 bytes
system32.exe	%AppData%\system32.exe	N/A
LoL Bot v2.0(2).exe	%Temp%\lol bot v2.0(2).exe	N/A

• Attention! The following process was intentionally hidden from the user:

• There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
DW20.EXE	[pathname with a string SHARE]\dw20.exe	20,480 bytes
DW20.EXE	[pathname with a string SHARE]\dw20.exe	20,480 bytes

Registry Modifications

• The newly created Registry Values are:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• 1vxeyEMChqqpuRYf = "%AppData%\system32.exe"

so that system32.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• KNCG Agent = "%System%\28463\KNCG.exe"

so that KNCG.exe runs every time Windows starts