Home / malware RemoteAccess:Win32/AmmyyAdmin
First posted on 07 August 2012.
Source: MicrosoftAliases :
RemoteAccess:Win32/AmmyyAdmin is also known as Program.Ammyy.1 (Dr.Web).
Explanation :
RemoteAccess:Win32/AmmyyAdmin is a remote control application that allows full control of the computer in which it is installed. These types of applications are typically installed by the computer owner or administrator and should only be removed if they are not expected to be present in the computer.
The AmmyyAdmin program has built-in server and client components, thus the program can be used as a server or as a client on the computer. The person controlling the client can remotely control the computer on which the server component is executed.
Note: We have observed this program being used by people involved in technical support phone scams. Microsoft does not initiate technical support calls and try to sell you technical support. Do not trust unsolicited calls. Do not provide any personal information.
Installation
Once installed, AmmyyAdmin drops the following files:
- %AppData%\AMMYY\contacts.bin
- %AppData%\AMMYY\hr
- %AppData%\AMMYY\settings.bin
- <Program path>\AMMYY_Admin.log
AmmyyAdmin is installed as a service, which enables it to run every time the computer starts:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AmmyyAdmin
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "<Program path>\AMMYY_Admin.exe -service"
Sets value: "DisplayName"
With data: "Ammyy Admin"
Sets value: "ObjectName"
With data: "LocalSystem"
In subkeys:
HKCU\Software\Ammyy\Admin
HKLM\SOFTWARE\Ammyy\Admin
Sets value: "hr"
With data: "<hexadecimal values>
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin
Sets value: "@"
With data: "Service"
Execution
AmmyyAdmin first connects to a certain remote server that acts as a router between the server and client components. This server also gives unique IDs for the server and client components.
Once connected, the person controlling the client can remotely control the computer on which the server component is executed.
The client component may look similar to the following:
The server component may look similar to the following:
Analysis by Ricardo Robielos
Last update 07 August 2012