Ammyy Admin

Posted: January 9, 2014

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	381
Threat Level:	1/10
Infected PCs:	612,736

First Seen:	January 9, 2014
Last Seen:	March 10, 2025
OS(es) Affected:	Windows

The AMMYY RAT, or FlawedAmmyy, is a Remote Access Trojan that gives criminals backdoor control over infected PCs. The actions of a remote attacker can result in the theft of confidential information, the installation of other threats, significant changes to the file system and other security issues. Since this Trojan runs without the user's knowledge, malware experts recommend using anti-malware programs capable of deleting the AMMYY RAT automatically before taking steps for re-securing the PC and its data.

Legal Software Twisted to Illegal Uses

The Ammyy Admin Remote Administration Tool is in conscription in a series of Black Hat campaigns that, unusually, are attacking both specific company networks, such as entities in the automotive industry, as well as random PC users. The earliest cases of these the AMMYY RAT attacks date back to 2016, with millions of spam e-mail messages being the evident infection vectors. Malware experts also are taking note of a possible connection to TA505, a criminal who's familiar with exploiting the Dridex banking Trojan and the file-locking Globe Imposter Ransomware.

The AMMYY RAT uses Trojan downloaders circulating through a combination of e-mail-attached ZIP archives with fake URL shortcut files, as well as Word documents with macro exploits. Most of the AMMYY RAT's source bases itself off of a leak of the Ammyy Admin product and, like that software, doesn't require installation and uses a small executable. Examples of some of the features malware analysts are noting as hazardous to infected PCs especially include:

File-transferring capabilities can let criminals upload confidential files from an infected PC to their private servers, or download other ones to the PC (such as installers for other Trojans)
Traditional remote desktop functionality offers external control via user input devices, such as the mouse and keyboard and remote-viewing sessions.
The AMMYY RAT may bypass firewall protection and NATs that would ordinarily help secure a network by blocking suspicious traffic.

An AMMYY RAT infection, like any backdoor-capable threat, also implies the possible presence of banking Trojans, spyware, and other threatening software, due to how much control it grants the remote attacker over the computer.

Curtailing the Administration that's Coming from the Wrong Places

Most recently, the AMMYY RAT attacks also occurred in early March of this year. Since these attacks have, previously, gone undetected by the AV industry, users should be stringent about updating all appropriate security software for reducing the failure rates for detecting this threat. The AMMYY RAT can run on Windows 2000 up to Windows 8, including server, 32-bit, and 64-bit architecture. Both the general public and highly-financed corporate entities are in equal danger from the Remote Access Trojan's campaigning, whose threat actor is using high traffic bursts of spam e-mail attacks lasting one or two days at a time.

Social engineering exploits often help drop threats like the AMMYY RAT, and malware analysts are connecting two of them, in particular, with the latest infections. Fake invoice and billing information may trick a PC user into opening a Trojan downloader without knowing. Alternately, the installer embeds itself in a document macro, which the criminal disguises as being an encryption-based security feature. Any competent anti-malware solution should block both of these attacks or may remove the AMMYY RAT from your computer afterward.

Since the leveraging of the AMMYY RAT is so indiscriminate, its operational goal may be no more complicated than compromising the victims for money. However, it's just as possible that different criminals are exploiting the Ammyy Admin's toolset for various ends, with the overall consequences yet to be recorded.

Aliases

not-a-virus:RemoteAdmin.Win32.Ammyy.an [Kaspersky]RemoteAdmin/Win32.Ammyy [Antiy-AVL]SPR/RemoteAdmin.AG [AntiVir]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%WINDIR%\CW2.exe

File name: CW2.exe
Size: 769.52 KB (769528 bytes)
MD5: 5686a7032e37087f0fd082a04f727aad
Detection count: 1,148
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\CW2.exe
Group: Malware file
Last Updated: January 21, 2025

C:\Users\<username>\Desktop\DA SISTEMARE\VARIE\copia PENNINE\SONY\BACKUP CAF MANAGER\Utility(2)\ARE.SM

File name: ARE.SM
Size: 147.45 KB (147456 bytes)
MD5: 84e4d318f5140e3ab182035aab3db603
Detection count: 96
Mime Type: unknown/SM
Path: C:\Users\<username>\Desktop\DA SISTEMARE\VARIE\copia PENNINE\SONY\BACKUP CAF MANAGER\Utility(2)\ARE.SM
Group: Malware file
Last Updated: May 14, 2022

%USERPROFILE%\Desktop\Ammyy Admin v3.exe

File name: Ammyy Admin v3.exe
Size: 796.46 KB (796464 bytes)
MD5: 7f7c2b7cf6c3e2c279af61a51014db14
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: April 8, 2014

%TEMP%orary Internet Files\Content.IE5\6WXXOE0B\AMMYY_Admin[1].exe

File name: AMMYY_Admin[1].exe
Size: 667.64 KB (667648 bytes)
MD5: 488df3646d78cdc4e68c25fcb3b6289b
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%orary Internet Files\Content.IE5\6WXXOE0B
Group: Malware file
Last Updated: April 8, 2014

%PROGRAMFILES(x86)%\AMMYY_Admin.exe

File name: AMMYY_Admin.exe
Size: 750.28 KB (750288 bytes)
MD5: 221c2c1099923dc6348d7bc1a21d2a3b
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %PROGRAMFILES(x86)%
Group: Malware file
Last Updated: April 8, 2014

More files

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Ammyy\AdminSOFTWARE\Wow6432Node\Ammyy\AdminSYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdminSYSTEM\ControlSet001\services\AmmyyAdminSYSTEM\ControlSet002\Control\SafeBoot\Network\AmmyyAdminSYSTEM\ControlSet002\services\AmmyyAdminSYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdminSYSTEM\CurrentControlSet\services\AmmyyAdmin

Additional Information

The following directories were created:

%ALLUSERSPROFILE%\AMMYY%ALLUSERSPROFILE%\Anwendungsdaten\AMMYY%ALLUSERSPROFILE%\Application Data\AMMYY%ALLUSERSPROFILE%\Dados de aplicativos\AMMYY%ALLUSERSPROFILE%\Dane aplikacji\AMMYY%ALLUSERSPROFILE%\Dati applicazioni\AMMYY%ALLUSERSPROFILE%\Datos de programa\AMMYY