Email this page Print this page Give us your feedback
Panda Security » Enterprises » Security Information » Encyclopedia: virus, worms, adware ...

Encyclopedia

Panda Global Protection 2010

Panda Global Protection 2011

Enjoy total security and ensure information integrity.

Artesimda.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Artesimda.A carries out the following actions:

  • It has rootkit functionalities in order to make its detection more difficult.
  • It creates a Windows user account with the following characteristics:
    username: Adminestrator
    password: Pass3488585

  • It uses the Windows file SESSMGR.EXE, which is a service of remote administration, and the user account it has created in order to access the affected computer remotely.
  • It attempts to download a file to the system, which can be of any nature, including malware.
  • It opens a random TCP port in order to use the computer as a server. This way, it could send out information or obtain the remote control of the computer.
  • It monitors Internet traffic generated and accesses the files where the data entered in the web forms by the users is stored.
  • This way, it obtains confidential data, such as usernames and passwords belonging to banking and email accounts, among others.
  • It obtains information about the computer such as the IP address, the name of the system, geographic area, opened ports, etc.
  • Then, it sends the gathered data to a certain server.

Infection strategy 

Artesimda.A creates the following files:

  • 9129837.EXE, in the Windows directory. This file is a copy of the Trojan.
  • NEW_DRV.SYS, in the subfolder DRIVERS of the Windows system directory. This file belongs to the rootkit Spyforms.H and is used to hide the copy of the Trojan.

 

Artesimda.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ new_drv
    By creating this entry, Artesimda.A runs the service belonging to the rootkit when Windows is started.
  • HKEY_USERS\ S-1-5-20\ Software\ Microsoft\ InetData

 

Artesimda.A modifies the following entry of the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
    Start = 03, 00, 00, 00
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
    Start = 04, 00, 00, 00
    This way, Artesimda.A disables the Windows XP firewall.

Means of transmission 

Artesimda.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Artesimda.A is 62,999 bytes in size.

Last updated:  17/04/2007 

News

Help other users against viruses and share this information. Cheers.

Enciclopedia de Virus y Antivirus - PANDA SECURITY - Compartelo/Favoritos