My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




Increased processor and network activity without apparent reason.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

When launched it performs the folowing actions:
    Ensure that it will be active on each system startup by altering the registry key
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\Shell = Explorer.exe by adding it's own path.
    Open an UDP server on a random port and send datagrams of various sizes and contents to random IP addresses and ports .
    Include itself into the Windows Firewall's registry key which defines the list of allowed applications:
    Try to protect itself from user detection and removal by disabling the TaskManger and RegistryEditor programs:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]\DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]\DisableRegistryTools = 1
    Disable some well known security related services, altering their start mode in the registry by setting the key:
%service_name%]\Start to value 0x4 (disabled):
    (ALG, VSSERV, bdss, NOD32krn, McShield, LIVESERV etc.)
    Drops and launches a keylogger: %system%\28463\svchost.exe detected as Trojan.Kelog.Ardamax.NAL.
Tries to connect to the following URLs: (unavailable at the time of this description):