Admilli Service - Details

"A more detailed description of my analysis of the yet unknown new spyware! At the time of writting this document (January 2005) no antivirus or antispyware software is able to remove or even detect it."

What it does?

Admilli Service has the ability to install itself automatically while surfing on the Internet with Microsoft Internet Explorer (even under medium security restrictions).

After installation it does unpredictable things... Maybe it logs all your input and searches for passwords, it enables hackers to gain access to you computer or use it as a gateway for their mass spamming needs, somehow tryes to infect other computers in you local network... I wasn't been able to detect and classify his activity, but it looks like some sort of sophisticated spyware.

To sum up: "The thing should not be on you PC."

The analysis with antivirus and antispyware solutions...

I have tryed to detect and clean the virus with the following antivirus and antispyware solutions, that were all up to date when I performed the scan (this was on the 26. December 2004), but none of them found anything!

• [an error occurred while processing this directive]
• [an error occurred while processing this directive]
• [an error occurred while processing this directive]
• [an error occurred while processing this directive]
• [an error occurred while processing this directive]
• SBC Anti-Spyware

Therefore I came to the conclusion that the thing is yet unknown to the world and it works on a different way that other similar software (because none of the heuristic modes in previous programs found anything). But you never know, therefore you can try some of the following solutions.

More technical results on my investigation

Admilli Service is a new spyware program that well at least in Microsoft Windows XP and 98 SE operating system and has the ability to install itself automatically thru Internet Explorer (even under medium security restrictions in many versions of it, also in the newest 6.0 SP2). It forces Internet Explorer to execute some commands which download, copy and install an unsigned addon for the system. After the installation process is finished we can see that the main programs called AdmilliServ.exe and AdmilliKeep.exe are running and are located in the directory C:\Program Files\Admilli Service\. This two programs have the ability to execute each other after one is closed and therefore it is harder to close them.

Here are all the things that change on a system after the installation/infection:

Added contents of file C:\Windows\setupapi.log:

[2004/12/26 13:50:47 880.74]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\DOCUME~1\User\LOCALS~1\Temp\ICD1.tmp\AdmilliServX.dll" to "C:\WINDOWS\Downloaded Program Files\AdmilliServX.dll".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\User\LOCALS~1\Temp\ICD1.tmp\AdmilliServX.dll" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.

Something has changed in C:\WINDOWS\Downloaded Program Files\. There is a new registered key control name and a file that is invisible in Explorer: AdmilliServX.dll (23.040 bytes). The key can be deleted with Explorer, but for the removal of the file you will need to go into DOS Console or use another program like Total Commander.

A new directory with all the installed files is called C:\Program Files\Admilli Service\. There you can find the following files: AdmilliComm.dll (60.928 bytes), AdmilliKeep.exe (17.920 bytes), AdmilliServ.exe (26.112 bytes).

New registry entrys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Admilli Service]
"param"="84ff9b0589be58f2fbb4f0b2047978d6d2c681f572f44776ea800a2822cf80fd5393a5536ca9d30e8b03:3732336438643833383439636664333333373836306136353164336534633133:Internet%20Explorer:6.0%20SP2%28SV1%29:winxp:flash"
"track"=dword:00000001
"LastUpdate"=dword:41ceb3bc
"reqcount"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Admilli Service]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,00,02,00,00,00,00,00,00,58,4d,\
  a0,9e,eb,c4,01,00,00,00,00,44,00,3a,00,5c,00,76,00,69,00,72,00,75,00,73,00,\
  5c,00,41,00,64,00,6d,00,69,00,6c,00,6c,00,69,00,20,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,5c,00,41,00,64,00,6d,00,69,00,6c,00,6c,00,69,00,4b,00,\
  65,00,65,00,70,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Admilli Service"="C:\\Program Files\\Admilli Service\\AdmilliServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Admilli Service]
"UninstallString"="C:\\Program Files\\Admilli Service\\AdmilliServ.exe /Remove"
"DisplayName"="Admilli Service"

As you can see the program also added itself to the Add or Remove Programs section in Control Panel. Because the malware came in thru Internet Explorer there is still a copy of it in its cache (Temporary Internet Files).

You can also download this whole strange thing (all files described above) from here: AdmilliService.zip (password for extracting: virus).

Removal instructions (the hard way)

You may try some of the antispyware solutions described above (when they are updated) or look at the instructions for removing this malware the hard way:

1. First of all you will somehow need to deactivate the program. You will need to stop the processes named AdmilliServ and AdmilliKeep, but this is not as easy as it looks like.
   • The easyest method (for Windows XP and NT) to effectively close Admilli Service until next reboot is to press <Ctrl>+<Alt>+<Del> and selecting the Processes tab or button. There you will just need to end the process tree of the program. This can be done by right clicking on AdmilliServ or AdmilliKeep and choosing the End Process Tree option. Both AdmilliServ and AdmilliKeep should disappear from the processes list and you may continue with the next numbered instruction.
   • Another simple method for the deletion is to restart your computer in Safe mode. When you manage to get there you can see by pressing <Ctrl>+<Alt>+<Del> and selecting the Processes tab that none of the suspicious programs is running. You may continue with the following instructions.
   • A faster and trickier method (for Windows XP and NT) is to press <Ctrl>+<Alt>+<Del> and selecting the Processes tab or button. There you need to lower the priority under which both of the processes are running. This can be done by right clicking on AdmilliServ and then on AdmilliKeep and setting the priority to Low. After that you will somehow need to give your computer some work to do (execute multiple programs really fast) and in the mean time (when your computer is loading all the programs) try to select AdmilliServ and AdmilliKeep really fast in the previous window (Windows Task Manager) and click each time on the End process button. If you have luck and are fast enough, you will be able to close both of the programs that won't reappear again until reboot.
2. It is also a smart idea to disable the System Restore option during this process.
3. Locate the directory where Admilli Service installed itself into and delete it with all the files in it. It can usually be found in C:\Program Files\Admilli Service\. With this action you will delete the following files:
   • AdmilliServ.exe (26.112 bytes) - The main spyware program.
   • AdmilliKeep.exe (17.920 bytes) - Slave program that makes it harder to close the main part.
   • AdmilliComm.dll (60.928 bytes) - Unknown strange dynamic link library.
4. At next you will need to edit your Registry, therefore open a program called Regedit. This can be done by clicking on the Run option in the Start menu and entering regedit.exe inside the text field. You should use this program with care, because invalid or deleted entrys may crash your computer and leave it in an unbootable state. Now you will need to locate the following keys on the left side:
   • Locate HKEY_LOCAL_MACHINE\SOFTWARE\Admilli Service, select and delete it totally by right clicking on it or pressing <Del>.
   • Find the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Admilli Service and delete it with all its values (right click on it or press <Del>).
   • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and select the value called Admilli Service. Right click on it and choose Delete or press <Del>.
5. Open up the Command Prompt (DOS simulation console) or any other program that allows you to browse thru your files except Explorer (for example Total Commander is a good alternative). Now go there into the directory of Windows Downloaded Program Files which is usually located in C:\WINDOWS\Downloaded Program Files\. Delete out the file called: AdmilliServX.dll (23.040 bytes)
6. Browse into the same directory again in Explorer and delete a strangely named key associated with AdmilliServX.dll out.
7. Open up the Control Panel and choose to Add or Remove Programs. Locate Admilli Service in it and click the uninstall button. A window will pop up and complain that some files are missing, but that's ok, because we removed them before.
8. At the end you may also empty your Temporary Internet Files cache in Internet Explorer. For this you need to select the menu Tools in IE, then Internet options and click on the Delete files button.

Now you can smile, because you are spyware free or at least from this strange Admilli Service.

© Tnode 2005-06 (GW)
Feel free to email me (gwSPAM@tnode.com) if you have any questions, suggestions or information related to this web page.
Remember to remove the word "SPAM" out from my email address before sending (yes, the username is just 2 chars long). This is a part of my attempts to keep SPAM out from my email box.

If you haven't found a good solution on this page, you may continue your search on Google: