Win32/Remtasu [Threat Name] go to Threat
Win32/Remtasu.A [Threat Variant Name]
| Category | trojan |
| Size | 61287 B |
| Signature database version | 6058 (Apr 20, 2011) |
| Aliases | Trojan-PSW.Win32.Agent.xny (Kaspersky) |
| VirTool:Win32/Vbinder (Microsoft) |
Short description
Win32/Remtasu.A is a trojan that steals sensitive information. The trojan is usually a part of other malware. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
- %system%\InstallDir\svchost.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run]
- "HKLM" = "%system%\InstallDir\svchost.exe"
- [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
- "HKCU" = "%system%\InstallDir\svchost.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0O25E04M-7B06-0HJ3-4JIE-F010140VRDC6}]
- "StubPath" = "%system%\InstallDir\svchost.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\XtremeRAT]
- "Mutex" = "--((Mutex))--"
- "ServerStarted" = "%variable%"
- "ServerName" = "%system%\InstallDir\svchost.exe"
- "InstalledServer" = "%system%\InstallDir\svchost.exe"
A string with variable content is used instead of %variable% .
The trojan launches the following processes:
- %defaultbrowser%
- svchost.exe
The trojan creates and runs a new thread with its own code within these running processes.
Information stealing
Win32/Remtasu.A is a trojan that steals sensitive information.
It can execute the following operations:
- steal information from the Windows clipboard
- log keystrokes
The collected information is stored in the following file:
- %appdata%\--((Mutex))--.dat
Other information
The trojan contains an URL address.
It tries to download the other part of the infiltration from the address. The HTTP protocol is used.
The file is stored in the following location:
- %appdata%\--((Mutex))--.xtr
The file is executed as a thread in the folowing process:
- %system%\InstallDir\svchost.exe
The trojan may create the following files:
- %appdata%\--((Mutex))--.cfg