Win32/TrojanDownloader.Carberp [Threat Name] go to Threat

Win32/TrojanDownloader.Carberp.AH [Threat Variant Name]

Category trojan
Size 176128 B
Detection created Feb 02, 2012
Signature database version 6850
Aliases Backdoor.Win32.Bredolab.xuf (Kaspersky)
  TrojanDownloader:Win32/Carberp.C (Microsoft)
  Backdoor.Trojan (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan tries to download and execute several files from the Internet.

Installation

When executed, the trojan creates the following folders:

  • c:\­%variable1%\­
  • %appdata%\­%variable2%\­

The trojan creates the following files:

  • c:\­%variable1%\­wndsksi.inf
  • %startup%\­%variable3%.exe (176128 B)
  • %temp%\­%variable4%.tmp

A string with variable content is used instead of %variable1-4% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "RegId" = %value%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "TabProcGrowth" = "0"

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The following information is collected:

  • information about the operating system and system settings

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used.


It can execute the following operations:

  • log keystrokes
  • steal information from the Windows clipboard
  • monitor network traffic
  • download files from a remote computer and/or the Internet
  • run executable files
  • collect information about the operating system used
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.