ThreatExpert Report: Suspicious.MH690, not-a-virus:Monitor.Win32.Ardamax.vl, Spy-Agent.cv..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 6 May 2011, 22:42:57
Processing time: 9 min 6 sec
Submitted sample:

File MD5: 0x8E6ECB70158EC068DB0BC48A557B32FF
File SHA-1: 0xE8B27144A72AE53B94D8F5A7F6CD824FC2E65F60
Filesize: 1,274,901 bytes
Alias:

Suspicious.MH690 [Symantec]
not-a-virus:Monitor.Win32.Ardamax.vl [Kaspersky Lab]
Spy-Agent.cv [McAfee]
TSPY_ARDAMAX.GA [Trend Micro]
TrojanSpy:Win32/Ardamax.H [Microsoft]
Trojan-Spy.Win32.Ardamax [Ikarus]
Win-Trojan/Ardamax.14848.D [AhnLab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\@2.tmp	1,685,389 bytes	MD5: 0x6D12FBCFEDF6BB8D3E593B1563839947 SHA-1: 0x78B8449CEF22A059B84E667CC7A1C331203788FC	Virus.Win32.Ardamax [Ikarus]
2	%Temp%\WYD HOOK1.rar	778,519 bytes	MD5: 0x6FBDC54AC9A763C605F71A46227394C5 SHA-1: 0x153539CDE1DB4771EB1C839F3FD294E1CA0D6D16	(not available)
3	%System%\28463\AKV.exe	404,480 bytes	MD5: 0xB8FA30233794772B8B76B4B1D91C7321 SHA-1: 0x0CF9561BE2528944285E536F41D502BE24C3AA87	Application.Ardamax_Keylogger [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.w [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] Mal/Generic-A [Sophos] MonitoringTool:Win32/Ardamax [Microsoft] not-a-virus:Monitor.Win32.Ardamax.ah [Ikarus] Win-Trojan/Ardamax.404480 [AhnLab]
4	%System%\28463\NBEH.001	530 bytes	MD5: 0x6637F2FEFED4E0CB216020671DB9F6D3 SHA-1: 0xE1C5A78577E0FA6DDB0EF78721FBECA8E6D7270E	(not available)
5	%System%\28463\NBEH.002	1,072 bytes	MD5: 0x4F863C391B07B124517A2CCA6E6207BF SHA-1: 0x44AA2BE3E1CDEA5F32C0CC91E2B17BBAD3B8CB36	(not available)
6	%System%\28463\NBEH.006	8,192 bytes	MD5: 0x43F02E9974B1477C1E6388882F233DB0 SHA-1: 0xF3E27B231193F8D5B2E1B09D05AE3A62795CF339	Spyware.Ardakey!rem [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.s [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] not-a-virus:Monitor.Win32.Ardamax [Ikarus] Win-Trojan/Ardamax.7680 [AhnLab]
7	%System%\28463\NBEH.007	5,632 bytes	MD5: 0xB5A87D630436F958C6E1D82D15F98F96 SHA-1: 0xD3FF5E92198D4DF0F98A918071ACA53550BF1CFF	Spyware.Ardakey!rem [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.o [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] TrojanSpy:WinNT/Ardamax.A!sys [Microsoft] not-a-virus:Monitor.Win32.Ardamax [Ikarus]
8	%System%\28463\NBEH.009	6,650 bytes	MD5: 0xC778FA430AD23E422DBD1386F5FD4C43 SHA-1: 0xA3D25B26C894DDDFA4509A2AF81096992B8361A3	(not available)
9	%System%\28463\NBEH.exe	484,864 bytes	MD5: 0x17535DDDECF8CB1EFDBA1F1952126547 SHA-1: 0xA862A9A3EB6C201751BE1038537522A5281EA6CB	Trojan-Dropper.Agent [PCTools] Spyware.Ardakey [Symantec] not-a-virus:Monitor.Win32.Ardamax.ac [Kaspersky Lab] Keylog-Ardamax.dll [McAfee] MonitoringTool:Win32/Ardamax [Microsoft] Trojan-Spy.Ardamax.J [Ikarus] Win-Trojan/Ardamax.484864 [AhnLab]
10	[file and pathname of the sample #1]	1,274,901 bytes	MD5: 0x8E6ECB70158EC068DB0BC48A557B32FF SHA-1: 0xE8B27144A72AE53B94D8F5A7F6CD824FC2E65F60	Suspicious.MH690 [Symantec] not-a-virus:Monitor.Win32.Ardamax.vl [Kaspersky Lab] Spy-Agent.cv [McAfee] TSPY_ARDAMAX.GA [Trend Micro] TrojanSpy:Win32/Ardamax.H [Microsoft] Trojan-Spy.Win32.Ardamax [Ikarus] Win-Trojan/Ardamax.14848.D [AhnLab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\28463

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
NBEH.exe	%System%\28463\NBEH.exe	503,808 bytes

Attention! The following process was intentionally hidden from the user:

Process Name	Main Module Size
NBEH.exe	503,808 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

NBEH Agent = "%System%\28463\NBEH.exe"

so that NBEH.exe runs every time Windows starts

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.