TrojanSpy:Win32/Ardamax.BF

This malware may be present as a file name that varies among iterations of the trojan. The following are examples of files created when the trojan is executed:

%windir%\system32<character string>.001 (example: "system32jgii.001")
%windir%\system32<character string>.006
%windir%\system32<character string>.007
%windir%\system32<character string>.exe (example: "systemakv.exe")
%windir%\system.ini

Win32/Ardamax can be configured to hide the display of the following, which could have been used to indicate its presence on an affected computer:

• System tray icon
• Ardamax process
• Shortcuts in the Start menu
• Listing in Add/Remove Programs
• Win32/Ardamax program installation folder

Payload

Captures user information

The Ardamax key logger can be configured by an attacker to capture the following types of data to a log file:

• User-entered data via the keyboard
• Web browsing history
• Internet chat content
• Application usage
• Periodic screen shots
• Periodic webcam shots

Win32/Ardamax can be configured to send the captured data to the following specified destinations:

• Email address via SMTP
• FTP server
• A network connected computer

Analysis by Edgardo Diaz