Win32/Appetite [Threat Name] go to Threat

Win32/Appetite.C [Threat Variant Name]

Category trojan
Size 348264 B
Detection created Feb 04, 2014
Detection database version 9378
Aliases (Kaspersky)
  BackDoor-FBRF.trojan (McAfee)
  TrojanDropper:Win32/Seedna.A (Microsoft)
  Backdoor.Weevil.B (Symantec)
  Backdoor.Mask.E (BitDefender)
Short description

Win32/Appetite.C installs a backdoor that can be controlled remotely. It uses techniques common for rootkits.


When executed, the trojan creates the following files:

  • %system%\­awdcxc32.dll (8192 B, Win32/Appetite.C)
  • %system%\­mfcn30.dll (17920 B, Win32/Appetite.C)
  • %system%\­vchw9x.dll (20992 B, Win32/Appetite.C)
  • %system%\­awcodc32.dll (24576 B, Win32/Appetite.C)
  • %system%\­jpeg1x32.dll (31744 B, Win32/Appetite.C)
  • %system%\­bootfont.bin (122912 B, Win32/Appetite.C)
  • %system%\­Drivers\­scsimap.sys (14464 B, Win32/Appetite.C)
  • %temp%\­___%variable%.tmp (9320 B, Win32/Appetite.C)

A string with variable content is used instead of %variable% .

Installs the following system drivers (path, name):

  • %system%\­Drivers\­scsimap.sys, scsimap

This causes the trojan to be executed on every system start.

The trojan runs the following process:

  • %temp%\­___%variable%.tmp

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • emule.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • mozilla.exe
  • netscape.exe
  • opera.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Session Manager\­Memory Management\­PrefetchParameters]
    • "EnablePrefetcher" = 2
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­scsimap\­Params]
    • "Value" = %binary% (44728 B)

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Appetite.C is a trojan that steals sensitive information.

The trojan collects the following information:

  • file(s) content
  • network adapter information
  • operating system version
  • information about the operating system and system settings
  • list of disk devices and their type
  • list of running processes
  • installed software
  • country
  • user name
  • CPU information
  • memory status

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • monitor network traffic
  • modify network traffic
  • send files to a remote computer
  • send the list of files on a specific drive to a remote computer

The trojan keeps various information in the following files:

  • %systemroot%\­System32\­c_50229.nls
  • %systemroot%\­System32\­c_50227.nls

Please enable Javascript to ensure correct displaying of this content and refresh this page.