Win32/Tagak [Threat Name] go to Threat

Win32/Tagak.A [Threat Variant Name]

Category trojan
Size 846848 B
Detection created Feb 14, 2012
Detection database version 10797
Short description

Win32/Tagak.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­advantage\­AdVantage.exe
  • %appdata%\­Google Talk\­googletalk.exe
  • %appdata%\­Skype\­Phone\­Skype.exe

The trojan creates the following files:

  • %appdata%\­Microsoft\­%variable1%\­%variable2%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = ""%appdata%\­%malwarefilename%" /%variable4%"

A string with variable content is used instead of %variable1-3% .


The %variable4% is one of the following strings:

  • /nosplash
  • /minimized
  • /autostart

The trojan executes the following commands:

  • CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "%originalmalwarefilepath%"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Information stealing

Win32/Tagak.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (9) URLs. The HTTP protocol is used.

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.