Win32/Cakl [Threat Name] go to Threat
Win32/Cakl.NAG [Threat Variant Name]
Category | trojan |
Size | 113248 B |
Aliases | Backdoor.Win32.Turkojan.il (Kaspersky) |
Backdoor:Win32/Turkojan.AI (Microsoft) | |
BackDoor-CZP.dr.trojan (McAfee) | |
Backdoor.Trojan (Symantec) |
Short description
Win32/Cakl.NAG installs a backdoor that can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %windir%\mstwain32.exe
- %appdata%\mstwain32.exe
The following files are dropped in the same folder:
- ntdtcstp.dll (7168 B, Win32/Cakl.NAF)
- cmsetac.dll (33792 B)
In order to be executed on system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run]
- "mstwain32" = "%malwarefilepath%"
The trojan removes system restore points.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
Information stealing
Win32/Cakl.NAG is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- data from the clipboard
- information about the operating system and system settings
The trojan is able to log keystrokes.
The collected information is stored in the following files:
- KB8888239.log
- KB8888113.log
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. It tries to connect to remote machine to port: 15963 (TCP).
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
- start/stop services
- show/hide application windows
- swap mouse buttons
- various filesystem operations
- send the list of disk devices and their type to a remote computer
- sending various information about the infected computer
- hide taskbar
- open a specific URL address
- shut down/restart the computer
- log off the current user
- open the CD/DVD drive
- create Registry entries
- delete Registry entries
- execute shell commands
- show fake alerts
- capture webcam video/voice
The trojan may affect the behavior of the following applications:
- Microsoft MSN Messenger
The trojan hides its running process.
The trojan hooks the following Windows APIs:
- FindFirstFileA (kernel32.dll)
- FindFirstFileW (kernel32.dll)
- FindNextFileA (kernel32.dll)
- FindNextFileW (kernel32.dll)
- NtQuerySystemInformation (ntdll.dll)
- RegEnumValueA (advapi32.dll)
- RegEnumValueW (advapi32.dll)