You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Artesimda.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Artesimda.A carries out the following actions:

  • It has rootkit functionalities in order to make its detection more difficult.
  • It creates a Windows user account with the following characteristics:
    username: Adminestrator
    password: Pass3488585

  • It uses the Windows file SESSMGR.EXE, which is a service of remote administration, and the user account it has created in order to access the affected computer remotely.
  • It attempts to download a file to the system, which can be of any nature, including malware.
  • It opens a random TCP port in order to use the computer as a server. This way, it could send out information or obtain the remote control of the computer.
  • It monitors Internet traffic generated and accesses the files where the data entered in the web forms by the users is stored.
  • This way, it obtains confidential data, such as usernames and passwords belonging to banking and email accounts, among others.
  • It obtains information about the computer such as the IP address, the name of the system, geographic area, opened ports, etc.
  • Then, it sends the gathered data to a certain server.

Infection strategy 

Artesimda.A creates the following files:

  • 9129837.EXE, in the Windows directory. This file is a copy of the Trojan.
  • NEW_DRV.SYS, in the subfolder DRIVERS of the Windows system directory. This file belongs to the rootkit Spyforms.H and is used to hide the copy of the Trojan.

 

Artesimda.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ new_drv
    By creating this entry, Artesimda.A runs the service belonging to the rootkit when Windows is started.
  • HKEY_USERS\ S-1-5-20\ Software\ Microsoft\ InetData

 

Artesimda.A modifies the following entry of the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
    Start = 03, 00, 00, 00
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
    Start = 04, 00, 00, 00
    This way, Artesimda.A disables the Windows XP firewall.

Means of transmission 

Artesimda.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Artesimda.A is 62,999 bytes in size.