ThreatExpert Report: Application.Ardamax_Keylogger, not-a-virus:Client-IRC.Win32.mIRC.603..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 31 March 2009, 10:48:08
Processing time: 6 min 2 sec
Submitted sample:

File MD5: 0xA0AA643E2435DD4A168500D54EC5F918
File SHA-1: 0x99BE49319A78DB9B899157E29892DECB4AF48EFA
Filesize: 852,786 bytes
Alias:

Application.Ardamax_Keylogger [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC-Worm.Win32.Tedeto.a [Ikarus]

Summary of the findings:

What's been found	Severity Level
Communication with a remote IRC server.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Backdoor.IRCBot	Backdoor.IRCBot is a family of IRC backdoors allowing unauthorized access to an infected PC. It has the capability to spread over a network exploiting various Windows vulnerabilities.
Application.Ardamax_Keylogger	Ardamax Keylogger is a keystroke recorder that captures user's activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\cache\active.txt	7 bytes	MD5: 0xC3FA23DB83C2517522E89465210191C8 SHA-1: 0x5EDC0F917398787190183EC70B0923E4F91129F0	(not available)
2	%System%\cache\aliases.ini	2,734 bytes	MD5: 0xFF0080B8D72BA43CE89D77ED62CC9456 SHA-1: 0x9720F891A66163B93CC766B2440EFA3D98F491EB	(not available)
3	%System%\cache\channels.txt	192,656 bytes	MD5: 0x5A90CE40721ADA8AA9042962D29D534F SHA-1: 0x489988B3AE7CFE0C7FF1E4E69914A65A75FB01A2	(not available)
4	%System%\cache\do.txt	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
5	%System%\cache\hi.txt	44 bytes	MD5: 0x9AD9F611225A76243158F60664634670 SHA-1: 0x0FA98B1DEC2062A10080277D36DC79C1E28957C1	(not available)
6	%System%\cache\mirc.ini	5,842 bytes	MD5: 0x087DBB96A46E6F6C014037EED98D42D3 SHA-1: 0x95B5B7E0799BB548508BB8ED63530BD6C68A777B	(not available)
7	%System%\cache\names.txt	10,565 bytes	MD5: 0xA1AB9A5780D326551994652567128B41 SHA-1: 0x13AC0096CFD7DDA56BCE627CD5C82E3D69DC7A55	(not available)
8	%System%\cache\nick.txt	38,311 bytes	MD5: 0xCE0343CA678EE66A262C5D5FA326C358 SHA-1: 0x69F7AF910531E941F5A5A61EC5BC4C2629D481B3	(not available)
9	%System%\cache\perform.ini	19 bytes	MD5: 0x5620702D9459867CD66B7C5647BEB413 SHA-1: 0x98AE0BF44E5D99DC9973BA332CBF406AD066F6C9	(not available)
10	%System%\cache\prefix.txt	202 bytes	MD5: 0x9C1E6A3487FC24E89C74E620B355AB7B SHA-1: 0x0217B4F131962F0E7CCF236F8788110CCC3E2888	(not available)
11	%System%\cache\remote.ini	268 bytes	MD5: 0x120261963A8EDCC40E1903D70210766D SHA-1: 0xA4E54D586FB298838D9C96E1D85B2104A9402323	(not available)
12	%System%\cache\restart.bat	27 bytes	MD5: 0x2BA8E1A9FA361527C6E7675951B345A5 SHA-1: 0x35245B73D22DA9B3B9768052D8E0A38E7DF85712	(not available)
13	%System%\cache\s.bat	229 bytes	MD5: 0x8BAF901BFA3D4E40C0B1D27209C8BD7C SHA-1: 0xE1EA2DE6E7000D2038280BD67EC11E5B33D9D827	(not available)
14	%System%\cache\sc.exe	31,232 bytes	MD5: 0xA48B1C06219A01A60CD8D4D45440BDE9 SHA-1: 0x34AF23607AD5AFA9E61B6A96CEC811E6BDC50B4A	(not available)
15	%System%\cache\script.ini	9,575 bytes	MD5: 0x8C211FE37D1ADCB486E86A0C92C14F0D SHA-1: 0xBB904E0987104A88C2F311318563C0692ADE5C21	IRC.Randon.M [PCTools]
16	%System%\cache\servers.ini	262 bytes	MD5: 0x55C50CEF9C023F49374DD199A5601221 SHA-1: 0x9AF43256393FF8409F4030922C466DDA1B5A6AB5	(not available)
17	%System%\cache\spoolsvr.exe	1,790,464 bytes	MD5: 0xEA15F5DA916E4C210D4FF97D25AE0ACB SHA-1: 0xCE3C47959EE3D28F22777EF70F570D509B36D7CB	IRC.Backdoor.Trojan [Symantec] not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] IRC/Client [McAfee] IRC-Worm.Win32.Tedeto.a [Ikarus] Win-Trojan/MircPack.1790464 [AhnLab]
18	%System%\cache\suffixes.txt	503 bytes	MD5: 0x0344BB438D90CBEE26833A90EE1A47D5 SHA-1: 0xBF6D65C85F04B0101464D4109339DB1E10E97456	(not available)
19	[file and pathname of the sample #1]	852,786 bytes	MD5: 0xA0AA643E2435DD4A168500D54EC5F918 SHA-1: 0x99BE49319A78DB9B899157E29892DECB4AF48EFA	Application.Ardamax_Keylogger [PCTools] not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab] IRC-Worm.Win32.Tedeto.a [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%System%\cache
%System%\cache\download
%System%\cache\logs
%System%\cache\sounds

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
sc.exe	%System%\cache\sc.exe	40,960 bytes
dllhost.exe	%System%\cache\dllhost.exe	20,480 bytes
dllhost.exe	%System%\dllcache\dllhost.exe	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	131,072 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
helpsvcc	Help and Support Center	"Running"	%System%\cache\dllhost.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HELPSVCC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HELPSVCC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HELPSVCC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HELPSVCC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HELPSVCC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HELPSVCC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc\Enum
HKEY_USERS\.DEFAULT\Software\mIRC
HKEY_USERS\.DEFAULT\Software\mIRC\DateUsed
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent
HKEY_CURRENT_USER\Software\mIRC
HKEY_CURRENT_USER\Software\mIRC\DateUsed

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cha]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chat]

(Default) = "ChatFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application]

(Default) = "mIRC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command]

(Default) = ""%System%\cache\spoolsvr.exe" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon]

(Default) = ""%System%\cache\spoolsvr.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChatFile]

(Default) = "Chat File"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic]

(Default) = "Connect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application]

(Default) = "mIRC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\Shell\open\command]

(Default) = ""%System%\cache\spoolsvr.exe" -noconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc\DefaultIcon]

(Default) = ""%System%\cache\spoolsvr.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\irc]

(Default) = "URL:IRC Protocol"
EditFlags = 02 00 00 00
URL Protocol = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]

DisplayName = "mIRC"
UninstallString = ""%System%\cache\spoolsvr.exe" -uninstall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HELPSVCC\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "helpsvcc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HELPSVCC\0000]

Service = "helpsvcc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Help and Support Center"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HELPSVCC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc\Enum]

0 = "Root\LEGACY_HELPSVCC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc\Parameters]

Application = "%System%\cache\spoolsvr.exe"
AppDirectory = "%System%\cache\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvcc]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\cache\dllhost.exe"
DisplayName = "Help and Support Center"
ObjectName = "LocalSystem"
Description = "Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HELPSVCC\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "helpsvcc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HELPSVCC\0000]

Service = "helpsvcc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Help and Support Center"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HELPSVCC]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc\Enum]

0 = "Root\LEGACY_HELPSVCC\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc\Parameters]

Application = "%System%\cache\spoolsvr.exe"
AppDirectory = "%System%\cache\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvcc]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\cache\dllhost.exe"
DisplayName = "Help and Support Center"
ObjectName = "LocalSystem"
Description = "Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_USERS\.DEFAULT\Software\mIRC\DateUsed]

(Default) = "1238525319"

[HKEY_CURRENT_USER\Software\Microsoft\Microsoft Agent]

VoiceEnabled = 0x00000001
UseVoiceTips = 0x00000001
KeyHoldHotKey = 0x00000091
UseBeepSRPrompt = 0x00000001
SRTimerDelay = 0x000007D0
SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EnableSpeaking = 0x00000001
UseBalloon = 0x00000001
UseCharacterFont = 0x00000001
UseSoundEffects = 0x00000001
SpeakingSpeed = 0x00000005
PropertySheetX = 0x000F423F
PropertySheetY = 0x000F423F
PropertySheetWidth = 0x00000000
PropertySheetHeight = 0x00000000
PropertySheetPage = 0x00000000
CommandsWindowLeft = 0xFFFFFFFF
CommandsWindowTop = 0xFFFFFFFF
CommandsWindowWidth = 0x000000C8
CommandsWindowHeight = 0x000000C8
CommandsWindowLocationSet = 0x00000000

[HKEY_CURRENT_USER\Software\mIRC\DateUsed]

(Default) = "1238525386"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

The following Host Names were requested from a host database:

b.thetainted.net
irc.gamesurge.net

There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

%System%\cache\spoolsvr.exe

Outbound traffic (potentially malicious)

Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.