Home Possibly Unwanted Program Ammyy Admin

Ammyy Admin

Posted: January 9, 2014

Threat Metric

Ranking: 319
Threat Level: 1/10
Infected PCs: 592,870
First Seen: January 9, 2014
Last Seen: October 17, 2023
OS(es) Affected: Windows


The AMMYY RAT, or FlawedAmmyy, is a Remote Access Trojan that gives criminals backdoor control over infected PCs. The actions of a remote attacker can result in the theft of confidential information, the installation of other threats, significant changes to the file system and other security issues. Since this Trojan runs without the user's knowledge, malware experts recommend using anti-malware programs capable of deleting the AMMYY RAT automatically before taking steps for re-securing the PC and its data.

Legal Software Twisted to Illegal Uses

The Ammyy Admin Remote Administration Tool is in conscription in a series of Black Hat campaigns that, unusually, are attacking both specific company networks, such as entities in the automotive industry, as well as random PC users. The earliest cases of these the AMMYY RAT attacks date back to 2016, with millions of spam e-mail messages being the evident infection vectors. Malware experts also are taking note of a possible connection to TA505, a criminal who's familiar with exploiting the Dridex banking Trojan and the file-locking Globe Imposter Ransomware.

The AMMYY RAT uses Trojan downloaders circulating through a combination of e-mail-attached ZIP archives with fake URL shortcut files, as well as Word documents with macro exploits. Most of the AMMYY RAT's source bases itself off of a leak of the Ammyy Admin product and, like that software, doesn't require installation and uses a small executable. Examples of some of the features malware analysts are noting as hazardous to infected PCs especially include:

  • File-transferring capabilities can let criminals upload confidential files from an infected PC to their private servers, or download other ones to the PC (such as installers for other Trojans)
  • Traditional remote desktop functionality offers external control via user input devices, such as the mouse and keyboard and remote-viewing sessions.
  • The AMMYY RAT may bypass firewall protection and NATs that would ordinarily help secure a network by blocking suspicious traffic.

An AMMYY RAT infection, like any backdoor-capable threat, also implies the possible presence of banking Trojans, spyware, and other threatening software, due to how much control it grants the remote attacker over the computer.

Curtailing the Administration that's Coming from the Wrong Places

Most recently, the AMMYY RAT attacks also occurred in early March of this year. Since these attacks have, previously, gone undetected by the AV industry, users should be stringent about updating all appropriate security software for reducing the failure rates for detecting this threat. The AMMYY RAT can run on Windows 2000 up to Windows 8, including server, 32-bit, and 64-bit architecture. Both the general public and highly-financed corporate entities are in equal danger from the Remote Access Trojan's campaigning, whose threat actor is using high traffic bursts of spam e-mail attacks lasting one or two days at a time.

Social engineering exploits often help drop threats like the AMMYY RAT, and malware analysts are connecting two of them, in particular, with the latest infections. Fake invoice and billing information may trick a PC user into opening a Trojan downloader without knowing. Alternately, the installer embeds itself in a document macro, which the criminal disguises as being an encryption-based security feature. Any competent anti-malware solution should block both of these attacks or may remove the AMMYY RAT from your computer afterward.

Since the leveraging of the AMMYY RAT is so indiscriminate, its operational goal may be no more complicated than compromising the victims for money. However, it's just as possible that different criminals are exploiting the Ammyy Admin's toolset for various ends, with the overall consequences yet to be recorded.

Aliases

not-a-virus:RemoteAdmin.Win32.Ammyy.an [Kaspersky]RemoteAdmin/Win32.Ammyy [Antiy-AVL]SPR/RemoteAdmin.AG [AntiVir]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



D:\SystemFolders\Downloads\AA_v3.exe File name: AA_v3.exe
Size: 780.43 KB (780432 bytes)
MD5: e9b569f7cbf23d91df065c18f4c43840
Detection count: 22,311
File type: Executable File
Mime Type: unknown/exe
Path: D:\SystemFolders\Downloads\AA_v3.exe
Group: Malware file
Last Updated: October 17, 2023
%SYSTEMDRIVE%\Users\<username>\Downloads\AA_v3.exe File name: AA_v3.exe
Size: 769.52 KB (769528 bytes)
MD5: 1fc7c230d6db0d7a0da6f415da271159
Detection count: 7,935
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\Downloads\AA_v3.exe
Group: Malware file
Last Updated: October 10, 2023
%SYSTEMDRIVE%\Genius\AA_v3.exe File name: AA_v3.exe
Size: 792.72 KB (792720 bytes)
MD5: 79910ca3e3418acca4fa2f2e16bac1a3
Detection count: 7,333
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Genius\AA_v3.exe
Group: Malware file
Last Updated: October 3, 2023
%SystemDrive%\MB\AA_v3.exe File name: AA_v3.exe
Size: 764.18 KB (764184 bytes)
MD5: a274dba823aa711db0301f58f53a9560
Detection count: 845
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\MB
Group: Malware file
Last Updated: October 24, 2017
%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\QN4DXKDG\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: 87d78952e4f4bad86e88ea07b097de2e
Detection count: 738
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\QN4DXKDG
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 1.21 MB (1214744 bytes)
MD5: 7cbafc4de61b075afa1c6def9a5ad60e
Detection count: 309
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: 5f24cf4ee3199fea0c022bbe4ba6636a
Detection count: 87
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: 216dfd205fda65aa923985c320221717
Detection count: 82
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: c57236b0c298428c18b38fa7791544dc
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
F:\OLDSOFT_ZIPPED\AA_v3.exe File name: AA_v3.exe
Size: 773.62 KB (773624 bytes)
MD5: ffcc18fd9a6016c5972afbb35b86df79
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: F:\OLDSOFT_ZIPPED
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: f74315e69cb76546b47ee2284385548e
Detection count: 61
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Downloads\AA_v3.exe File name: AA_v3.exe
Size: 839.16 KB (839160 bytes)
MD5: 17492955165580094a156c98789759b6
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Downloads
Group: Malware file
Last Updated: October 24, 2017
%SystemDrive%\Users\<username>\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 773.62 KB (773624 bytes)
MD5: 1b299b3300ea923a3c03096178a23f7f
Detection count: 33
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\Desktop
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: d9b30364ad5f0510d1aeb99e0e9e0898
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
E:\Arsip\AA_v3.exe File name: AA_v3.exe
Size: 805.14 KB (805144 bytes)
MD5: ada3b4d8f717b5de6d70ff6d39944f3c
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: E:\Arsip
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 1.2 MB (1202572 bytes)
MD5: 6f77c3e789b5d8b3e0e5a3ae9b493c77
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
%SystemDrive%\RcFinWin\AA_v3.exe File name: AA_v3.exe
Size: 862.03 KB (862032 bytes)
MD5: 6a17ba5fc7de46ce39b8e176e458db93
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\RcFinWin
Group: Malware file
Last Updated: October 24, 2017
E:\SISTEMA\VISUAL_RODOPAR\Suporte - Datapar\AA_v3.exe File name: AA_v3.exe
Size: 720.89 KB (720896 bytes)
MD5: 5c513c40bf791e7f35cc63cb91273400
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: E:\SISTEMA\VISUAL_RODOPAR\Suporte - Datapar
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 765.95 KB (765952 bytes)
MD5: 4224d33783f3723ac98a3de61f46f520
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
%USERPROFILE%\Desktop\AA_v3.exe File name: AA_v3.exe
Size: 1.07 MB (1072632 bytes)
MD5: 106d6085d39a11bd0d5dbf87da08f9ac
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: October 24, 2017
D:\drv\AA_v3.exe File name: AA_v3.exe
Size: 1.91 MB (1916928 bytes)
MD5: 9eebc7760e28d6781bd1aea01fc106b2
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: D:\drv
Group: Malware file
Last Updated: October 24, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Ammyy\AdminSOFTWARE\Wow6432Node\Ammyy\AdminSYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdminSYSTEM\ControlSet001\services\AmmyyAdminSYSTEM\ControlSet002\Control\SafeBoot\Network\AmmyyAdminSYSTEM\ControlSet002\services\AmmyyAdminSYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdminSYSTEM\CurrentControlSet\services\AmmyyAdmin

Additional Information

The following directories were created:
%ALLUSERSPROFILE%\AMMYY%ALLUSERSPROFILE%\Anwendungsdaten\AMMYY%ALLUSERSPROFILE%\Application Data\AMMYY%ALLUSERSPROFILE%\Dados de aplicativos\AMMYY%ALLUSERSPROFILE%\Dane aplikacji\AMMYY%ALLUSERSPROFILE%\Dati applicazioni\AMMYY%ALLUSERSPROFILE%\Datos de programa\AMMYY
Loading...