MSIL/ChadowTek [Threat Name] go to Threat

MSIL/ChadowTek.E [Threat Variant Name]

Category trojan
Size 678400 B
Detection created Oct 01, 2015
Detection database version 12340
Aliases Trojan.MSIL.Agent.abgtu (Kaspersky)
  Trojan:MSIL/Raflap.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %temp%\­FlashPlayer Servive\­FlashPlayer_Service_Desktop.exe
  • %startup%\­FlashPlayer_Service_Desktop.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "FlashPlayer_Service_Desktop" = "%temp%\­FlashPlayer Servive\­FlashPlayer_Service_Desktop.exe"
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • computer name
  • user name
  • volume serial number
  • hardware information
  • list of running processes
  • list of files/folders on a specific drive

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan behaves differently if it detects a running process containing one of the following strings in its name:

  • AvastUI
  • avgui
  • avp

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • upload files to a remote computer
  • various file system operations
  • terminate running processes
  • capture screenshots
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.