Written in Visual Basic, compressed with UPX

Released in December 2004

Name: AR34
Class: Trojan / Password Stealer(?)
Author: unsticky
Build Date: Nov 27, 2004
Compiled in: Visual Basic 6
Packed in: UPX
File Size: 15.5 kb

Features:
+Copy to system32 using encrypted file name
+Delete intial server and run copy.
+Add to Startup 
+Hide from TaskManager 
+AV Killing - Ad-Aware, Norton, and McAfee 
+Firewall Killing - ZoneAlarm, Kerio, and Windows 
+System Tool Killing - TaskManager, MSConfig, RegEdit, SystemRestore, and Command Prompt
+Grab AIM MD5 Hashes and TestBuddy Passwords
+Grab External and Internal IPs 
+Log Hashes, Passwords, Host Name, and IPs to  encrypted hardcoded website.

unsticky


dropped file:
c:\WINDOWS\system32\msps.exe
size: 15.872 bytes 

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"
data: C:\WINDOWS\system32\msps.exe 


tested on Windows XP
December 12, 2004