Spyware.Ardakey

When the program is executed, it creates the following files:

• %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Help.lnk
• %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
• %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk
• %ProgramFiles%\NSK\AKV.exe
• %ProgramFiles%\NSK\license.txt
• %ProgramFiles%\NSK\menu.gif
• %ProgramFiles%\NSK\NSK.002
• %ProgramFiles%\NSK\NSK.003
• %ProgramFiles%\NSK\NSK.004
• %ProgramFiles%\NSK\NSK.005
• %ProgramFiles%\NSK\NSK.006
• %ProgramFiles%\NSK\NSK.007
• %ProgramFiles%\NSK\NSK.chm
• %ProgramFiles%\NSK\NSK.exe
• %ProgramFiles%\NSK\qs.html
• %ProgramFiles%\NSK\tray.gif
• %ProgramFiles%\NSK\Uninstall.exe
• %ProgramFiles%\Ardamax Keylogger\AKL.exe
• %ProgramFiles%\Ardamax Keylogger\kh.dll
• %ProgramFiles%\Ardamax Keylogger\il.dll
• %ProgramFiles%\Ardamax Keylogger\AKV.exe
• %ProgramFiles%\Ardamax Keylogger\Uninstall.exe
• %ProgramFiles%\Ardamax Keylogger\license.txt
• %ProgramFiles%\Ardamax Keylogger\qs.html
• %ProgramFiles%\Ardamax Keylogger\tray.gif
• %ProgramFiles%\Ardamax Keylogger\menu.gif
• %ProgramFiles%\Ardamax Keylogger\AKL.chm
• %ProgramFiles%\Ardamax Keylogger\akl.001
• %ProgramFiles%\Ardamax Keylogger\akl.002
• %ProgramFiles%\Ardamax Keylogger\akv.ini

It creates the following files, if the Lite version is installed:

• %UserProfile%\Programs\Ardamax Keylogger Lite\Ardamax Keylogger Lite.lnk
• %UserProfile%\Start Menu\Programs\Ardamax Keylogger Lite\Help.lnk
• %ProgramFiles%\Ardamax Keylogger Lite\AKL.chm
• %ProgramFiles%\Ardamax Keylogger Lite\akl.exe
• %ProgramFiles%\Ardamax Keylogger Lite\kh.dll
• %ProgramFiles%\Ardamax Keylogger Lite\license_lite.txt
• %ProgramFiles%\Ardamax Keylogger Lite\Settings.ini
• %ProgramFiles%\Ardamax Keylogger Lite\Uninstall.exe

The program creates the following registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\akl.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger

It creates the following subkeys, if the Lite version is installed:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger Lite
• HKEY_CURRENT_USER\Software\Ardamax Keylogger Lite

Next, it creates the following registry entries so that it executes whenever Windows starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"NSK" = "%ProgramFiles%\NSK\NSK.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Ardamax Keylogger" = "%ProgramFiles%\Ardamax Keylogger\akl.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\App Paths\"akl.exe" = "%CurrentFolder%\akl.exe"

If the Lite version is installed, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Ardamax KeyLogger" = "%ProgramFiles%\Ardamax Keylogger\Lite\akl.exe"

It prompts the user to install the following components:

• Keylogger Engine
• Log Viewer
• Documentation

The program may perform the following functions:

• Keystroke logging
• Log transferring via email
• Log transferring via FTP
• Hiding and Unhiding its tray icon using the Ctrl+Alt+Del+H key combination

It stores the gathered information in one of the following files:

• %ProgramFiles%\NSK\NSK.002
• %CurrentFolder%\Akl.klf

Summary