ThreatExpert's Statistics for Win-Trojan/Xema.variant [AhnLab]:

Win-Trojan/Xema.variant [AhnLab] is also known as:

Threat Alias	Number of Incidents
Keylog-Ardamax.dll [McAfee]	42,720
not-a-virus:Monitor.Win32.Ardamax.ae [Kaspersky Lab]	34,489
Spyware.Ardakey [Symantec]	34,388
MonitoringTool:Win32/Ardamax [Microsoft]	34,248
Trojan-Spy.Ardamax.J [Ikarus]	28,444
Application.Ardamax_Keylogger [PC Tools]	20,588
TrojanSpy.Ardamax.WQ [PC Tools]	12,955
Application.Ardamax!ct [PC Tools]	8,833
Trojan.Keylogger.Hotkeys [PC Tools]	3,315
Mal/Generic-A [Sophos]	3,096
TSPY_HOTKEYS.B [Trend Micro]	2,669
Trojan Horse [Symantec]	2,281
Generic.dx [McAfee]	1,929
Hacktool [Symantec]	1,147
Generic PUP.x [McAfee]	1,139
Downloader [Symantec]	1,116
not-a-virus:PSWTool.Win32.NetPass.et [Kaspersky Lab]	977
Tool:Win32/IEPassRecover.A [Microsoft]	812
not-a-virus:PSWTool.Win32.ProductKey.ae [Kaspersky Lab]	808
not-a-virus:PSWTool.Win32.Messen.110 [Ikarus]	603
not-a-virus:PSWTool.Win32.NetPass [Ikarus]	603
Generic PUP.x!g [McAfee]	599
Trojan-Dropper.Agent [Ikarus]	596
Trojan.Crypt [Ikarus]	485
Trojan.Generic [PC Tools]	478
PSWTool.NetPass!sd6 [PC Tools]	468
Backdoor.Trojan [Symantec]	466
Trojan:WinNT/Tibs.gen!A [Microsoft]	433
Backdoor.Bifrose [Symantec]	390
Trojan.Generic [Ikarus]	383
Infostealer.Gampass [Symantec]	373
WORM_IMAUT.Q [Trend Micro]	357
Constructor.Win32.Bifrose.j [Kaspersky Lab]	349
Trojan-Dropper [Ikarus]	348
Mal/Packer [Sophos]	340
W32/Autorun-QA [Sophos]	325
Backdoor.IRC.Bot [Symantec]	324
PSWTool.ProductKey!sd6 [PC Tools]	312
W32.SillyFDC [Symantec]	293
ProduKey [Symantec]	287
BackDoor-CEP [McAfee]	286
Backdoor.Win32.Bifrose [Ikarus]	281
FakeAlert-FH [McAfee]	275
Mal/EncPk-GF [Sophos]	270
Trojan-Downloader.Agent!sd6 [PC Tools]	266
Mal/EncPk-IV [Sophos]	239
Backdoor.Bifrose!sd6 [PC Tools]	236
PWSTool.NetPass!sd6 [PC Tools]	234
W32.SillyDC [Symantec]	231
not-a-virus:PSWTool.Win32.NetPass.et [Ikarus]	224
Trojan.Win32.VB [Ikarus]	215
Generic PWS.y [McAfee]	211
PWSTool.ProductKey!sd6 [PC Tools]	208
Trojan-Dropper.Delf [Ikarus]	203
Trojan.Peed [Ikarus]	199
Trojan.Win32.Glox [Ikarus]	199
Trojan-GameThief.Win32.WOW [Ikarus]	199
Mal/Autorun-C [Sophos]	198
Downloader-AZN.dr [McAfee]	197
Virus.Win32.Trojan [Ikarus]	196
Worm.Win32.AutoRun.afcb [Kaspersky Lab]	196
BKDR_CIADOOR.EA [Trend Micro]	195
Trojan.Vundo [Symantec]	190
Trojan.WinNT [Ikarus]	189
Trojan.DL.VB.AAVI [PC Tools]	186
Trojan:Win32/Ertfor.A [Microsoft]	184
Generic FakeAlert.k [McAfee]	183
Packed.Generic.233 [Symantec]	179
Backdoor.Tidserv [Symantec]	176
Mal/TDSSPack-L, Mal/TDSSPack-K [Sophos]	175
Trojan.TDSS!sd6 [PC Tools]	175
Downloader.gen.a [McAfee]	173
Troj/Virtum-Gen [Sophos]	172
Mal/EncPk-EW [Sophos]	171
Trojan.Win32.Ertfor [Ikarus]	169
Trojan.Win32.TDSS.abzw [Kaspersky Lab]	169
Generic Downloader.x [McAfee]	163
Trojan-Downloader.Win32.VB.bsa [Kaspersky Lab]	151
Mal/RootKit-Fam [Sophos]	149
Trojan-Downloader.Win32.VB [Ikarus]	149
W32/Autorun.worm.dq.gen [McAfee]	149
not-a-virus:PSWTool.Win32.FirePass.af [Kaspersky Lab]	147
Trojan.Win32.FakeScanti [Ikarus]	145
Generic.dx!elb [McAfee]	144
Rootkit.Win32.Pakes.or [Kaspersky Lab]	144
Trojan-Downloader.Win32.Agent.cosh [Kaspersky Lab]	144
TrojanDownloader:Win32/Banload.JD [Microsoft]	144
Trojan-Dropper.Win32.Agent.awwv [Kaspersky Lab]	144
Suspicious.MH690 [Symantec]	143
Trojan.Win32.Crypt [Ikarus]	141
Trojan.Win32.Crypt.aqt [Kaspersky Lab]	138
Infostealer [Symantec]	134
not-a-virus:Monitor.Win32.007SpySoft.g [Kaspersky Lab]	133
PSWTool.FirePass!sd6 [PC Tools]	133
Spyware.007Spy [Symantec]	133
W32/Sohana-AX [Sophos]	133
Generic Dropper!gd [McAfee]	132
W32.Fujacks.CB [Symantec]	132
Win32.SuspectCrc [Ikarus]	130
Trojan.Win32.Koblu.cak [Kaspersky Lab]	121

Win-Trojan/Xema.variant [AhnLab] has the following possible countries of origin:

Origin		Number of Incidents
	China	1,327
	Germany	365
	Russian Federation	344
	Brazil	148
	United Kingdom	142
	Israel	123
	Spain	101
	Sweden	83
	France	67
	Italy	50
	Croatia	39
	Turkey	39
	Iran	38
	Republic of Korea	35
	Portugal	28
	Ukraine	25
	Japan	24
	Saudi Arabia	24
	Netherlands	20
	Taiwan	20
	Finland	14
	Poland	13
	Canada	12
	Switzerland	12
	Australia	9
	Belgium	9
	Egypt	9
	Costa Rica	4
	Romania	4
	Czech Republic	3
	Morocco	3
	Norway	3
	Oman	3
	Argentina	2
	Slovakia	2
	Austria	1
	Denmark	1
	Indonesia	1
	Ireland	1
	Mexico	1
	New Zealand	1
	Thailand	1
	United Arab Emirates	1

Win-Trojan/Xema.variant [AhnLab] is known to be created as:

%AllUsersProfile%\aeazmcifi.exe

%AllUsersProfile%\desktop.exe

%AllUsersProfile%\documents.exe

%AllUsersProfile%\drm.exe

%AllUsersProfile%\drm\drm.exe

%AllUsersProfile%\favorites.exe

%AllUsersProfile%\templates.exe

%AppData%\%username%.task\chasnah.exe

%AppData%\%username%.task\csrss.exe

%AppData%\%username%.task\lsass.exe

%AppData%\%username%.task\server.exe

%AppData%\%username%.task\smss.exe

%AppData%\.v4.3.0.0.build.1-res-patch.exe

%AppData%\048c9.exe

%AppData%\1.exe

%AppData%\25d590.exe

%AppData%\3.exe

%AppData%\40329.exe

%AppData%\48f2a.exe

%AppData%\5.exe

%AppData%\556.exe

%AppData%\55a67d.exe

%AppData%\7c.exe

%AppData%\9142.exe

%AppData%\9a9e9c.exe

%AppData%\adobe\manager.exe

%AppData%\adobe\player.exe

%AppData%\aibo\aibologon.exe

%AppData%\aibo\aiboreg.exe

%AppData%\aibo\aiboserv.exe

%AppData%\b2.exe

%AppData%\bifrost\server.exe

%AppData%\c27fe.exe

%AppData%\client.exe

%AppData%\crypter.exe

%AppData%\csrss.exe

%AppData%\d9faa.exe

%AppData%\df.exe

%AppData%\dllhst3g.exe

%AppData%\e1.exe

%AppData%\e86.exe

%AppData%\ec1957.exe

%AppData%\eehl\eehl.dll

%AppData%\explorer.exe

%AppData%\f508.exe

%AppData%\ff2.exe

%AppData%\inetinfo.exe

%AppData%\irm.dll

%AppData%\jjrcku\ufxqsysguard.exe

%AppData%\kctmon\kcol23.exe

%AppData%\keygen.exe

%AppData%\lsass.exe

%AppData%\microsoft\dsdv.exe

%AppData%\microsoft\hscg.exe

%AppData%\microsoft\izhv.exe

%AppData%\microsoft\logman.exe

%AppData%\microsoft\smss.exe

%AppData%\microsoft\svchost.exe

%AppData%\microsoft\vcwg.exe

%AppData%\microsoft\windows\lsass.exe

%AppData%\microsoft\windows\winlogon.exe

%AppData%\microsoft\winlog.exe

%AppData%\microsoft\wscp.exe

%AppData%\msobj.sys

%AppData%\ntuser3.exe

%AppData%\num.5.0.46.build.1205-patch.exe

%AppData%\pc\agent.exe

%AppData%\pcre3.dll

%AppData%\ptssvc.exe

%AppData%\rbinternetencodings550.dll

%AppData%\scvhost.exe

%AppData%\services.exe

%AppData%\setup.exe

%AppData%\setupcasino.exe

%AppData%\smart defender pro\smrtdefp.exe

%AppData%\smss.exe

%AppData%\svchost.exe

%AppData%\svchost\svchost.exe

%AppData%\svchost32.exe

%AppData%\svchosts.exe

%AppData%\un.virus.remover.2.3.-patch.exe

%AppData%\whosts.exe

%AppData%\win_holper\win_holper.exe

%AppData%\winlogon.exe

%AppData%\wuauct.exe

%AppData%\xfctbsptco.exe

%CommonAppData%\11144064\11144064.exe

%CommonAppData%\13088594\13088594.exe

%CommonAppData%\1770963855\1294226386.exe

%CommonAppData%\36934646\2063941586.exe

%CommonAppData%\3gp.exe

%CommonAppData%\431ae0b6.exe

%CommonAppData%\70509324\70509324.exe

%CommonAppData%\88277234\88277234.exe

%CommonAppData%\adobe.exe

%CommonAppData%\aoety.exe

%CommonAppData%\avg.exe

%CommonAppData%\axqhsdo.exe

%CommonAppData%\bfztua.exe

%CommonAppData%\bgzpbuhp.exe

Notes:

%AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.