Win32/Cakl [Threat Name] go to Threat

Win32/Cakl.NAG [Threat Variant Name]

Category trojan
Size 113248 B
Detection created Mar 17, 2008
Signature database version 10677
Aliases Backdoor.Win32.Turkojan.il (Kaspersky)
  Backdoor:Win32/Turkojan.AI (Microsoft)
  BackDoor-CZP.dr.trojan (McAfee)
  Backdoor.Trojan (Symantec)
Short description

Win32/Cakl.NAG installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­mstwain32.exe
  • %appdata%\­mstwain32.exe

The following files are dropped in the same folder:

  • ntdtcstp.dll (7168 B, Win32/Cakl.NAF)
  • cmsetac.dll (33792 B)

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mstwain32" = "%malwarefilepath%"

The trojan removes system restore points.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Information stealing

Win32/Cakl.NAG is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • data from the clipboard
  • information about the operating system and system settings

The trojan is able to log keystrokes.


The collected information is stored in the following files:

  • KB8888239.log
  • KB8888113.log

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. It tries to connect to remote machine to port: 15963 (TCP).


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • start/stop services
  • show/hide application windows
  • swap mouse buttons
  • various filesystem operations
  • send the list of disk devices and their type to a remote computer
  • sending various information about the infected computer
  • hide taskbar
  • open a specific URL address
  • shut down/restart the computer
  • log off the current user
  • open the CD/DVD drive
  • create Registry entries
  • delete Registry entries
  • execute shell commands
  • show fake alerts
  • capture webcam video/voice

The trojan may affect the behavior of the following applications:

  • Microsoft MSN Messenger

The trojan hides its running process.


The trojan hooks the following Windows APIs:

  • FindFirstFileA (kernel32.dll)
  • FindFirstFileW (kernel32.dll)
  • FindNextFileA (kernel32.dll)
  • FindNextFileW (kernel32.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • RegEnumValueA (advapi32.dll)
  • RegEnumValueW (advapi32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.