My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~600 kbytes


The following files will be present on an infected computer:

%Windows%\regsvr.exe (hidden)
%System%\svchost .exe (hidden)
%System%setup.ini (hidden)

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

This worm is an AutoIt compiled script that has a folder icon in order to trigger the user to run it. If run, it will perform the following actions:

    - drop a file named svchost.exe in %System%\28463\ folder - this file is detected as Trojan.Keylog.Ardamax.NAL and will be used to log user's activity and send it  to the malware author. The keystrokes will be logged in two files named svchost.001 and svchost.002 created in %System%\28463 folder
    - create the follwing three copies of itself:
%System%\svchost .exe (hidden)
%System%\regsvr.exe (hidden)

and add/modify the following registry keys in order for the worm and the keylogger to be run at every system startup:

Name: svchost Agent
Value: %System32%\28463\svchost.exe

Name: Msn Messenger
Value: %System%\regsvr.exe

Name: Shell
Value: Explorer.exe regsvr.exe

    - delete all schduled tasks using the following command line:
    cmd.exe /C AT /delete /yes
and then create its own sheduled task using the following command:
    cmd.exe /C AT 09.00 /interactive /EVERY:m,t,w,th,f,s,su %windows%\svchost .exe
which will be used to run one of the copies of the malware.

    - create a file named setup.ini in %System% folder in order to spread itself on removable drives

It will also modify the following registry keys:

NofolderOptions = 0x00000000 - disable the access to Tools | Folder Options in Windows Explorer

DisableRegistryTools = 0x00000001 - disable registry tools
    - try to download the following files on user's computer
(when this description was made the URLs weren't active anymore)