Skip to main content

SpyTool.Win32.Ardamax_e69a166910


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Ardamax.nbq (v) (VIPRE), Win32.SuspectCrc!IK (Emsisoft), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: e69a166910f8e78323d7e60b36db6e46

SHA1: 4ee69c0da8c8295b0faceb57ba09d95871f65724

SHA256: 53ff710fbb277eae2dc509b001f3b29c5f78a6f8b4eb5e92f29554e39b9c06f3

SSDeep: 49152:UUvI87yM3f6DdGsoydd9j/bq5YFq2jJvTBm3UoRuio:UM0M3CZoEpdVT03UCu

Size: 2058240 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-12-01 18:31:17

Analyzed on: WindowsXP SP3 32-bit

Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The SpyTool creates the following process(es):

e69a166910f8e78:520

The SpyTool injects its code into the following process(es):

EDT.exe:1924

File activity

The process e69a166910f8e78:520 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\CRVKER\EDT.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\CRVKER\EDT.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\CRVKER\EDT.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\CRVKER\EDT.02 (56 bytes)

Registry activity

The process e69a166910f8e78:520 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 B4 37 2B 3A ED 29 CB 37 2D 1F 64 BE 99 4B 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\CRVKER]
"EDT.exe" = "EDT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process EDT.exe:1924 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 77 DE F1 46 41 CF 9B 3A BE 94 51 AA 1A 05 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EDT Start" = "%Documents and Settings%\All Users\Application Data\CRVKER\EDT.exe"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    e69a166910f8e78:520

  2. Delete the original SpyTool file.
  3. Delete or disinfect the following files created/modified by the SpyTool:

    %Documents and Settings%\All Users\Application Data\CRVKER\EDT.exe (15021 bytes)
    %Documents and Settings%\All Users\Application Data\CRVKER\EDT.00 (2 bytes)
    %Documents and Settings%\All Users\Application Data\CRVKER\EDT.01 (81 bytes)
    %Documents and Settings%\All Users\Application Data\CRVKER\EDT.02 (56 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EDT Start" = "%Documents and Settings%\All Users\Application Data\CRVKER\EDT.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps