Win32/TrojanDownloader.Carberp [Threat Name] go to Threat
Win32/TrojanDownloader.Carberp.AH [Threat Variant Name]
| Category | trojan |
| Size | 176128 B |
| Signature database version | 6850 (Feb 02, 2012) |
| Aliases | Backdoor.Win32.Bredolab.xuf (Kaspersky) |
| TrojanDownloader:Win32/Carberp.C (Microsoft) | |
| Backdoor.Trojan (Symantec) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan tries to download and execute several files from the Internet.
Installation
When executed, the trojan creates the following folders:
- c:\%variable1%\
- %appdata%\%variable2%\
The trojan creates the following files:
- c:\%variable1%\wndsksi.inf
- %startup%\%variable3%.exe (176128 B)
- %temp%\%variable4%.tmp
A string with variable content is used instead of %variable1-4% .
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
- "RegId" = %value%
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "TabProcGrowth" = "0"
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
The following information is collected:
- information about the operating system and system settings
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP protocol is used.
It can execute the following operations:
- log keystrokes
- steal information from the Windows clipboard
- monitor network traffic
- download files from a remote computer and/or the Internet
- run executable files
- collect information about the operating system used
- send gathered information