New Speed Hack for patch 5116

~~cocolimo~~ · 03/29/2009, 07:15

[All Text Removed - Hiyoal]

gewoon · 03/29/2009, 19:29

ARDAMAX KEYLOGGER DON'T DOWNLOAD

~~cocolimo~~ · 03/29/2009, 19:31

Quote:

Originally Posted by gewoon

ARDAMAX KEYLOGGER DON'T DOWNLOAD

false alarm, this program is clean.
may show auto.it in scan.

~~high6~~ · 03/29/2009, 20:07

I will analyze this more in a bit guys. Speed hack seems safe...

marcino16 · 03/29/2009, 20:28

Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

Scanned by

marcino16 · 03/29/2009, 20:28

Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

Scanned by

Sniguracka · 03/29/2009, 20:49

Quote:

Originally Posted by high6

I will analyze this more in a bit guys. Speed hack seems safe...

Are u sure ? ..

File 90_NoDC-SpeedHack-XclusiveRelease received on 03.29.2009 20:42:25 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.29 Trojan-Spy.Win32.Ardamax!IK
AhnLab-V3 5.0.0.2 2009.03.29 -
AntiVir 7.9.0.129 2009.03.27 ADSPY/Dropper.Ardamax.Gen
Antiy-AVL 2.0.3.1 2009.03.29 -
Authentium 5.1.2.4 2009.03.28 W32/Ardamax.H
Avast 4.8.1335.0 2009.03.29 -
AVG 8.5.0.285 2009.03.28 PSW.Generic5.ZKD
BitDefender 7.2 2009.03.29 Trojan.Keylog.Ardamax.NAI
CAT-QuickHeal 10.00 2009.03.28 Trojan.Agent.IRC
ClamAV 0.94.1 2009.03.29 Trojan.Dropper-3246
Comodo 1089 2009.03.29 TrojWare.Win32.TrojanSpy.Ardamax.~L
DrWeb 4.44.0.09170 2009.03.29 Trojan.MulDrop.15072
eSafe 7.0.17.0 2009.03.27 -
eTrust-Vet 31.6.6421 2009.03.27 -
F-Prot 4.4.4.56 2009.03.28 W32/Ardamax.H
Fortinet 3.117.0.0 2009.03.29 Misc/BadJoke_Agent
GData 19 2009.03.29 Trojan.Keylog.Ardamax.NAI
Ikarus T3.1.1.48.0 2009.03.29 Trojan-Spy.Win32.Ardamax
K7AntiVirus 7.10.684 2009.03.28 Trojan-Spy.Win32.Ardamax.N
Kaspersky 7.0.0.125 2009.03.29 Trojan-Spy.Win32.Ardamax.n
McAfee 5568 2009.03.29 Spy-Agent.cv
McAfee+Artemis 5568 2009.03.29 Spy-Agent.cv
McAfee-GW-Edition 6.7.6 2009.03.29 Ad-Spyware.Dropper.Ardamax.Gen
Microsoft 1.4502 2009.03.29 TrojanSpy:Win32/Ardamax.A
NOD32 3972 2009.03.28 Win32/KeyLogger.Ardamax.NAP
Norman 6.00.06 2009.03.27 -
nProtect 2009.1.8.0 2009.03.29 -
Panda 10.0.0.10 2009.03.29 Suspicious file
PCTools 4.4.2.0 2009.03.29 -
Rising 21.22.62.00 2009.03.29 Trojan.Spy.Win32.Ardamax.n
Sophos 4.40.0 2009.03.29 Ardamax Installer
Sunbelt 3.2.1858.2 2009.03.29 Ardamax Keylogger
Symantec 1.4.4.12 2009.03.29 Suspicious.MH690.A
TheHacker 6.3.3.9.296 2009.03.29 -
TrendMicro 8.700.0.1004 2009.03.28 TSPY_ARDAMAX.GA
VBA32 3.12.10.1 2009.03.27 Trojan-Spy.Win32.Ardamax.n
ViRobot 2009.3.27.1666 2009.03.27 -

Request Ban , Edit and Close ! <3

~~high6~~ · 03/29/2009, 21:16

I didn't see anything on the speedhack.

But yes the first download is a virus from what I see. A poorly written one too.

~~high6~~ · 03/29/2009, 21:18

It extracts a ton of files to a folder (random numbers) in system32 and then executes some exes.

3lawerkoko · 03/29/2009, 22:19

the file is virased

CampStaff · 03/29/2009, 22:43

Malicious TROJAN Detected

Quote:

Originally Posted by cocolimo

false alarm, this program is clean.

No sir, this is a keylogging Trojan, and as a Programmer, Im going to show to you how you are deceiving everyone.

Quote:

File Info

Report generated: 29.3.2009 at 22.30.39 (GMT 1)
Filename: 01FirstConquerPatcher5105.exe.exe
File size: 745 KB
MD5 Hash: FD65C96F6291683B0B280717106D961C
SHA1 Hash: BDAACD496D9787D48DE7682479F8479CB3D9EBCF
Packer detected: Microsoft Visual C++ 6.0 [Overlay]
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 18 on 24

Detections

a-squared - Nothing found!
Avira AntiVir - ADSPY/Dropper.Ardamax.Gen
Avast - Nothing found!
AVG - PSW.Generic5.ZKD
BitDefender - Trojan.Keylog.Ardamax.NAI
ClamAV - Trojan.Dropper-3246
Comodo - TrojWare.Win32.TrojanSpy.Ardamax.~L
Dr.Web - Trojan.MulDrop.15072
Ewido - Logger.Ardamax.n
F-PROT 6 - W32/Ardamax.H
G DATA - Trojan-Spy.Win32.Ardamax.n A
IkarusT3 - Trojan-Spy.Win32.Ardamax
Kaspersky - Trojan-Spy.Win32.Ardamax.n
McAfee - Spy-Agent.cv trojan
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Win32/KeyLogger.Ardamax.NAP
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Trojan.Agent.IRC
Solo Antivirus - Nothing found!
Sophos - Ardamax Installer
TrendMicro - TSPY_ARDAMAX.GA
VBA32 - Trojan-Spy.Win32.Ardamax.n
Virus Buster - Trojan.DR.Ardamax.Gen.3

Scan report generated by

When we log the network activiity of your 'cheat', we see it do the following:

Quote:

Log to come, filtering out IP address and unneeded informationno from it

When we run your Trojan in a Sandbox, the following is what happens:

Code:

Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.    
 
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.     

Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.     

Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.    

Spawns Processes: The executable produces processes during the execution. 
    
Performs Registry Activities: The executable reads and modifies register values. It also creates and monitors register keys.

First, this trojan createst the following files on the host computer:

Code:

C:\DOCUME~1\user\LOCALS~1\Temp\@1.tmp
C:\DOCUME~1\user\LOCALS~1\Temp\@2.tmp
C:\WINDOWS\system32\28463\
C:\WINDOWS\system32\28463\AKV.exe
C:\WINDOWS\system32\28463\HDIO.001
C:\WINDOWS\system32\28463\HDIO.006
C:\WINDOWS\system32\28463\HDIO.007
C:\WINDOWS\system32\28463\HDIO.exe

And then it reads and/or modifies these files on the host computer:

Code:

C:\DOCUME~1\user\LOCALS~1\Temp\@2.tmp
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\Documents and Settings\user\My Documents\desktop.ini
C:\WINDOWS\Registration\R00000000000f.clb
C:\WINDOWS\system32\28463\HDIO.exe
C:\sample.exe
PIPE\lsarpc
PIPE\wkssvc

Afterwhich, it modifies and adds these registry keys to the host computer:

Code:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Run                                  [IMG]http://anubis.iseclab.org/?action=report_resource&version=3.1&resource=/images/info.gif[/IMG]                       HDIO Agent                                                     C:\WINDOWS\system32\28463\HDIO.exe

Then it sends your data to his server/FTP mentioned above so he can take your passwords and information.

coolkid1 · 03/30/2009, 01:48

i wanted it but for some reason i believe its a key logga

mohamedtota · 03/30/2009, 03:13

.....

Jenks · 03/30/2009, 04:55

my pc is lower for virus ardamax and etc...

sivarak · 03/30/2009, 06:14

how do i remove it?