Win32/Spatet [Threat Name] go to Threat

Win32/Spatet.C [Threat Variant Name]

Category trojan
Size 903177 B
Detection created Apr 09, 2010
Signature database version 5014
Aliases Trojan-Dropper.MSIL.StubRC.bmd (Kaspersky)
  Generic.Dropper.uu (McAfee)
  VirTool:Win32/BeeInject (Microsoft)
Short description

The trojan serves as a backdoor.

Installation

When executed, the trojan creates the following files:

  • %system%\­winbotex\­starter.exe (903177 B)
  • %temp%\­UuU.uUu
  • %temp%\­XxX.xXx

The trojan may create the following files:

  • %appdata%\­cglogs.dat

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{OTU7263I-A7TK-4J0A-04X5-K0B7SQ7YNB2S}]
    • "StubPath" = "%system%\­winbotex\­starter.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "Policies" = "%system%\­winbotex\­starter.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKLM" = "%system%\­winbotex\­starter.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Policies" = "%system%\­winbotex\­starter.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKCU" = "%system%\­winbotex\­starter.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Rune]
    • "FirstExecution" = "%variable%"
    • "NewIdentification" = "Rune"

A string with variable content is used instead of %variable% .

Information stealing

The trojan collects the following information:

  • antivirus software detected on the affected machine
  • operating system version
  • user name
  • computer name
  • installed software
  • Mozilla Firefox account information
  • list of disk devices and their type
  • list of running processes
  • memory status
  • CPU information
Other information

It can execute the following operations:

  • retrieve information from protected storage and send it to the remote computer
  • capture webcam video/voice
  • log keystrokes
  • steal information from the Windows clipboard
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • various filesystem operations
  • run executable files
  • create Registry entries
  • delete Registry entries
  • connect to remote computers to a specific port
  • capture screenshots
  • block keyboard and mouse input
  • send open TCP and UDP port numbers to a remote computer
  • redirect network traffic
  • open the CD/DVD drive
  • shut down/restart the computer
  • show/hide application windows
  • send the list of running processes to a remote computer
  • terminate running processes
  • remove itself from the infected computer
  • update itself to a newer version
  • set up a proxy server

Please enable Javascript to ensure correct displaying of this content and refresh this page.