Threat Search: 

ThreatExpert's Statistics for Win-Trojan/Xema.variant [AhnLab]:

Win-Trojan/Xema.variant [AhnLab] is also known as:
Threat AliasNumber of Incidents
Keylog-Ardamax.dll [McAfee]42,720
not-a-virus:Monitor.Win32.Ardamax.ae [Kaspersky Lab]34,489
Spyware.Ardakey [Symantec]34,388
MonitoringTool:Win32/Ardamax [Microsoft]34,248
Trojan-Spy.Ardamax.J [Ikarus]28,444
Application.Ardamax_Keylogger [PC Tools]20,588
TrojanSpy.Ardamax.WQ [PC Tools]12,955
Application.Ardamax!ct [PC Tools]8,833
Trojan.Keylogger.Hotkeys [PC Tools]3,315
Mal/Generic-A [Sophos]3,096
TSPY_HOTKEYS.B [Trend Micro]2,669
Trojan Horse [Symantec]2,281
Generic.dx [McAfee]1,929
Hacktool [Symantec]1,147
Generic PUP.x [McAfee]1,139
Downloader [Symantec]1,116
not-a-virus:PSWTool.Win32.NetPass.et [Kaspersky Lab]977
Tool:Win32/IEPassRecover.A [Microsoft]812
not-a-virus:PSWTool.Win32.ProductKey.ae [Kaspersky Lab]808
not-a-virus:PSWTool.Win32.Messen.110 [Ikarus]603
not-a-virus:PSWTool.Win32.NetPass [Ikarus]603
Generic PUP.x!g [McAfee]599
Trojan-Dropper.Agent [Ikarus]596
Trojan.Crypt [Ikarus]485
Trojan.Generic [PC Tools]478
PSWTool.NetPass!sd6 [PC Tools]468
Backdoor.Trojan [Symantec]466
Trojan:WinNT/Tibs.gen!A [Microsoft]433
Backdoor.Bifrose [Symantec]390
Trojan.Generic [Ikarus]383
Infostealer.Gampass [Symantec]373
WORM_IMAUT.Q [Trend Micro]357
Constructor.Win32.Bifrose.j [Kaspersky Lab]349
Trojan-Dropper [Ikarus]348
Mal/Packer [Sophos]340
W32/Autorun-QA [Sophos]325
Backdoor.IRC.Bot [Symantec]324
PSWTool.ProductKey!sd6 [PC Tools]312
W32.SillyFDC [Symantec]293
ProduKey [Symantec]287
BackDoor-CEP [McAfee]286
Backdoor.Win32.Bifrose [Ikarus]281
FakeAlert-FH [McAfee]275
Mal/EncPk-GF [Sophos]270
Trojan-Downloader.Agent!sd6 [PC Tools]266
Mal/EncPk-IV [Sophos]239
Backdoor.Bifrose!sd6 [PC Tools]236
PWSTool.NetPass!sd6 [PC Tools]234
W32.SillyDC [Symantec]231
not-a-virus:PSWTool.Win32.NetPass.et [Ikarus]224
Trojan.Win32.VB [Ikarus]215
Generic PWS.y [McAfee]211
PWSTool.ProductKey!sd6 [PC Tools]208
Trojan-Dropper.Delf [Ikarus]203
Trojan.Peed [Ikarus]199
Trojan.Win32.Glox [Ikarus]199
Trojan-GameThief.Win32.WOW [Ikarus]199
Mal/Autorun-C [Sophos]198
Downloader-AZN.dr [McAfee]197
Virus.Win32.Trojan [Ikarus]196
Worm.Win32.AutoRun.afcb [Kaspersky Lab]196
BKDR_CIADOOR.EA [Trend Micro]195
Trojan.Vundo [Symantec]190
Trojan.WinNT [Ikarus]189
Trojan.DL.VB.AAVI [PC Tools]186
Trojan:Win32/Ertfor.A [Microsoft]184
Generic FakeAlert.k [McAfee]183
Packed.Generic.233 [Symantec]179
Backdoor.Tidserv [Symantec]176
Mal/TDSSPack-L, Mal/TDSSPack-K [Sophos]175
Trojan.TDSS!sd6 [PC Tools]175
Downloader.gen.a [McAfee]173
Troj/Virtum-Gen [Sophos]172
Mal/EncPk-EW [Sophos]171
Trojan.Win32.Ertfor [Ikarus]169
Trojan.Win32.TDSS.abzw [Kaspersky Lab]169
Generic Downloader.x [McAfee]163
Trojan-Downloader.Win32.VB.bsa [Kaspersky Lab]151
Mal/RootKit-Fam [Sophos]149
Trojan-Downloader.Win32.VB [Ikarus]149
W32/Autorun.worm.dq.gen [McAfee]149
not-a-virus:PSWTool.Win32.FirePass.af [Kaspersky Lab]147
Trojan.Win32.FakeScanti [Ikarus]145
Generic.dx!elb [McAfee]144
Rootkit.Win32.Pakes.or [Kaspersky Lab]144
Trojan-Downloader.Win32.Agent.cosh [Kaspersky Lab]144
TrojanDownloader:Win32/Banload.JD [Microsoft]144
Trojan-Dropper.Win32.Agent.awwv [Kaspersky Lab]144
Suspicious.MH690 [Symantec]143
Trojan.Win32.Crypt [Ikarus]141
Trojan.Win32.Crypt.aqt [Kaspersky Lab]138
Infostealer [Symantec]134
not-a-virus:Monitor.Win32.007SpySoft.g [Kaspersky Lab]133
PSWTool.FirePass!sd6 [PC Tools]133
Spyware.007Spy [Symantec]133
W32/Sohana-AX [Sophos]133
Generic Dropper!gd [McAfee]132
W32.Fujacks.CB [Symantec]132
Win32.SuspectCrc [Ikarus]130
Trojan.Win32.Koblu.cak [Kaspersky Lab]121

Win-Trojan/Xema.variant [AhnLab] has the following possible countries of origin:
OriginNumber of Incidents
China1,327
Germany365
Russian Federation344
Brazil148
United Kingdom142
Israel123
Spain101
Sweden83
France67
Italy50
Croatia39
Turkey39
Iran38
Republic of Korea35
Portugal28
Ukraine25
Japan24
Saudi Arabia24
Netherlands20
Taiwan20
Finland14
Poland13
Canada12
Switzerland12
Australia9
Belgium9
Egypt9
Costa Rica4
Romania4
Czech Republic3
Morocco3
Norway3
Oman3
Argentina2
Slovakia2
Austria1
Denmark1
Indonesia1
Ireland1
Mexico1
New Zealand1
Thailand1
United Arab Emirates1

Win-Trojan/Xema.variant [AhnLab] is known to be created as:
%AllUsersProfile%\aeazmcifi.exe
%AllUsersProfile%\desktop.exe
%AllUsersProfile%\documents.exe
%AllUsersProfile%\drm.exe
%AllUsersProfile%\drm\drm.exe
%AllUsersProfile%\favorites.exe
%AllUsersProfile%\templates.exe
%AppData%\%username%.task\chasnah.exe
%AppData%\%username%.task\csrss.exe
%AppData%\%username%.task\lsass.exe
%AppData%\%username%.task\server.exe
%AppData%\%username%.task\smss.exe
%AppData%\.v4.3.0.0.build.1-res-patch.exe
%AppData%\048c9.exe
%AppData%\1.exe
%AppData%\25d590.exe
%AppData%\3.exe
%AppData%\40329.exe
%AppData%\48f2a.exe
%AppData%\5.exe
%AppData%\556.exe
%AppData%\55a67d.exe
%AppData%\7c.exe
%AppData%\9142.exe
%AppData%\9a9e9c.exe
%AppData%\adobe\manager.exe
%AppData%\adobe\player.exe
%AppData%\aibo\aibologon.exe
%AppData%\aibo\aiboreg.exe
%AppData%\aibo\aiboserv.exe
%AppData%\b2.exe
%AppData%\bifrost\server.exe
%AppData%\c27fe.exe
%AppData%\client.exe
%AppData%\crypter.exe
%AppData%\csrss.exe
%AppData%\d9faa.exe
%AppData%\df.exe
%AppData%\dllhst3g.exe
%AppData%\e1.exe
%AppData%\e86.exe
%AppData%\ec1957.exe
%AppData%\eehl\eehl.dll
%AppData%\explorer.exe
%AppData%\f508.exe
%AppData%\ff2.exe
%AppData%\inetinfo.exe
%AppData%\irm.dll
%AppData%\jjrcku\ufxqsysguard.exe
%AppData%\kctmon\kcol23.exe
%AppData%\keygen.exe
%AppData%\lsass.exe
%AppData%\microsoft\dsdv.exe
%AppData%\microsoft\hscg.exe
%AppData%\microsoft\izhv.exe
%AppData%\microsoft\logman.exe
%AppData%\microsoft\smss.exe
%AppData%\microsoft\svchost.exe
%AppData%\microsoft\vcwg.exe
%AppData%\microsoft\windows\lsass.exe
%AppData%\microsoft\windows\winlogon.exe
%AppData%\microsoft\winlog.exe
%AppData%\microsoft\wscp.exe
%AppData%\msobj.sys
%AppData%\ntuser3.exe
%AppData%\num.5.0.46.build.1205-patch.exe
%AppData%\pc\agent.exe
%AppData%\pcre3.dll
%AppData%\ptssvc.exe
%AppData%\rbinternetencodings550.dll
%AppData%\scvhost.exe
%AppData%\services.exe
%AppData%\setup.exe
%AppData%\setupcasino.exe
%AppData%\smart defender pro\smrtdefp.exe
%AppData%\smss.exe
%AppData%\svchost.exe
%AppData%\svchost\svchost.exe
%AppData%\svchost32.exe
%AppData%\svchosts.exe
%AppData%\un.virus.remover.2.3.-patch.exe
%AppData%\whosts.exe
%AppData%\win_holper\win_holper.exe
%AppData%\winlogon.exe
%AppData%\wuauct.exe
%AppData%\xfctbsptco.exe
%CommonAppData%\11144064\11144064.exe
%CommonAppData%\13088594\13088594.exe
%CommonAppData%\1770963855\1294226386.exe
%CommonAppData%\36934646\2063941586.exe
%CommonAppData%\3gp.exe
%CommonAppData%\431ae0b6.exe
%CommonAppData%\70509324\70509324.exe
%CommonAppData%\88277234\88277234.exe
%CommonAppData%\adobe.exe
%CommonAppData%\aoety.exe
%CommonAppData%\avg.exe
%CommonAppData%\axqhsdo.exe
%CommonAppData%\bfztua.exe
%CommonAppData%\bgzpbuhp.exe
Notes:
  • %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
  • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
  • %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.