MSIL/ChadowTek [Threat Name] go to Threat
MSIL/ChadowTek.E [Threat Variant Name]
| Category | trojan |
| Size | 678400 B |
| Aliases | Trojan.MSIL.Agent.abgtu (Kaspersky) |
| Trojan:MSIL/Raflap.A (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed the trojan copies itself in the following locations:
- %temp%\FlashPlayer Servive\FlashPlayer_Service_Desktop.exe
- %startup%\FlashPlayer_Service_Desktop.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "FlashPlayer_Service_Desktop" = "%temp%\FlashPlayer Servive\FlashPlayer_Service_Desktop.exe"
Information stealing
The trojan collects the following information:
- information about the operating system and system settings
- computer name
- user name
- volume serial number
- hardware information
- list of running processes
- list of files/folders on a specific drive
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan behaves differently if it detects a running process containing one of the following strings in its name:
- AvastUI
- avgui
- avp
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- upload files to a remote computer
- various file system operations
- terminate running processes
- capture screenshots
- send gathered information