Win32/Grifwin [Threat Name] go to Threat

Win32/Grifwin.I [Threat Variant Name]

Category trojan
Size 39936 B
Detection created May 06, 2015
Detection database version 11586
Aliases Trojan.Win32.Agentb.bpip (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %systemdrive%\­User Backup\­userbckp.exe

The trojan creates the following files:

  • %startup%\­System Backup.lnk
  • %startup%\­Windows Backup.lnk
  • %startup%\­Windows Graphics Manager.lnk

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

The trojan may create the following files:

  • %systemdrive%\­User Backup\­userbckp.ini
  • %systemdrive%\­User Backup\­userbckp.txt
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • hardware information
  • logged keystrokes
  • screenshots
  • data from the clipboard
  • file(s) content

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • log keystrokes
  • capture screenshots
  • steal information from the Windows clipboard
  • set clipboard data
  • send gathered information
  • upload file list
  • upload files to a remote computer
  • delete files
  • simulate user's input (clicks, taps)
  • shut down/restart the computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.