.: AR34 :.

Released 17 years, 5 months ago. Dec 2004

By unsticky

Additional Details

  • Coded by: unsticky
  • Version: AR34
  • Released date: Dec 2004, 17 years, 5 months ago.
  • Coded in: Visual Basic, compressed with UPX
  • Family: AR34
  • Category: Information Stealer

MegaSecurity Notes

dropped file:
c:\WINDOWS\system32\msps.exe
size: 15.872 bytes 

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
data: C:\WINDOWS\system32\msps.exe 


tested on Windows XP
December 12, 2004

Author Words

Name: AR34
Class: Trojan / Password Stealer(?)
Author: unsticky
Build Date: Nov 27, 2004
Compiled in: Visual Basic 6
Packed in: UPX
File Size: 15.5 kb

Features:
+Copy to system32 using encrypted file name
+Delete intial server and run copy.
+Add to Startup 
+Hide from TaskManager 
+AV Killing - Ad-Aware, Norton, and McAfee 
+Firewall Killing - ZoneAlarm, Kerio, and Windows 
+System Tool Killing - TaskManager, MSConfig, RegEdit, SystemRestore, and Command Prompt
+Grab AIM MD5 Hashes and TestBuddy Passwords
+Grab External and Internal IPs 
+Log Hashes, Passwords, Host Name, and IPs to  encrypted hardcoded website.

unsticky

URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.