Home / malwarePDF  

RemoteAccess:Win32/AmmyyAdmin


First posted on 07 August 2012.
Source: Microsoft

Aliases :

RemoteAccess:Win32/AmmyyAdmin is also known as Program.Ammyy.1 (Dr.Web).

Explanation :



RemoteAccess:Win32/AmmyyAdmin is a remote control application that allows full control of the computer in which it is installed. These types of applications are typically installed by the computer owner or administrator and should only be removed if they are not expected to be present in the computer.

The AmmyyAdmin program has built-in server and client components, thus the program can be used as a server or as a client on the computer. The person controlling the client can remotely control the computer on which the server component is executed.

Note: We have observed this program being used by people involved in technical support phone scams. Microsoft does not initiate technical support calls and try to sell you technical support. Do not trust unsolicited calls. Do not provide any personal information.



Installation

Once installed, AmmyyAdmin drops the following files:

  • %AppData%\AMMYY\contacts.bin
  • %AppData%\AMMYY\hr
  • %AppData%\AMMYY\settings.bin
  • <Program path>\AMMYY_Admin.log


AmmyyAdmin is installed as a service, which enables it to run every time the computer starts:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AmmyyAdmin
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "<Program path>\AMMYY_Admin.exe -service"
Sets value: "DisplayName"
With data: "Ammyy Admin"
Sets value: "ObjectName"
With data: "LocalSystem"

In subkeys:
HKCU\Software\Ammyy\Admin
HKLM\SOFTWARE\Ammyy\Admin
Sets value: "hr"
With data: "<hexadecimal values>

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin
Sets value: "@"
With data: "Service"

Execution

AmmyyAdmin first connects to a certain remote server that acts as a router between the server and client components. This server also gives unique IDs for the server and client components.

Once connected, the person controlling the client can remotely control the computer on which the server component is executed.

The client component may look similar to the following:



The server component may look similar to the following:





Analysis by Ricardo Robielos

Last update 07 August 2012

 

TOP

Malware :