Win32/TrojanDownloader.Carberp [Threat Name] go to Threat
Win32/TrojanDownloader.Carberp.AH [Threat Variant Name]
|Detection created||Feb 02, 2012|
|Signature database version||6850|
The trojan serves as a backdoor. It can be controlled remotely. The trojan tries to download and execute several files from the Internet.
When executed, the trojan creates the following folders:
The trojan creates the following files:
- %startup%\%variable3%.exe (176128 B)
A string with variable content is used instead of %variable1-4% .
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
- "RegId" = %value%
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "TabProcGrowth" = "0"
The trojan may create and run a new thread with its own program code within any running process.
The following information is collected:
- information about the operating system and system settings
The trojan can send the information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP protocol is used.
It can execute the following operations:
- log keystrokes
- steal information from the Windows clipboard
- monitor network traffic
- download files from a remote computer and/or the Internet
- run executable files
- collect information about the operating system used
- send gathered information