Win32/Remtasu [Threat Name]

Detection created2011-04-20
World activity peak 2017-03-27 (0.23 %)
Short description

Win32/Remtasu is a trojan that steals sensitive information.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable2%.exe
  • %programfiles%\­%variable1%\­%variable2%.exe
  • %system%\­%variable1%\­%variable2%.exe
  • %temp%\­%variable1%\­%variable2%.exe
  • %windir%\­%variable1%\­%variable2%.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKLM" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKCU" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­{%variable5%}]
    • "StubPath" = "%malwarefilepath% restart"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "Server" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "Server" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe %malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe %malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Server" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Server" = "%malwarefilepath%"

This causes the trojan to be executed on every system start. The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­%variable3%]
    • "Mutex" = "%variable4%"
    • "LastSize" = "%variable5%"
    • "ServerStarted" = "%variable6%"
    • "ServerName" = "%malwarefilepath%"

A string with variable content is used instead of %variable1-6% .


The trojan launches the following processes:

  • explorer.exe
  • svchost.exe
  • %defaultbrowser%

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

Win32/Remtasu is a trojan that steals sensitive information.


It can execute the following operations:

  • steal information from the Windows clipboard
  • log keystrokes

The collected information is stored in the following file:

  • %appdata%\­Microsoft\­Windows\­%variable%.dat
  • %appdata%\­%variable%.dat

A string with variable content is used instead of %variable% .


The trojan attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The trojan contains an URL address.


It tries to download the other part of the infiltration from the address. The HTTP protocol is used.


The file is stored in the following location:

  • %appdata%\­Microsoft\­Windows\­%variable%.xtr

The file is executed as a thread in the folowing process:

  • %malwarefilepath%

The trojan may create the following files:

  • %appdata%\­Microsoft\­Windows\­%variable%.cfg

A string with variable content is used instead of %variable% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE]
    • "FakeMessage" = "OK"

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Remtasu.Y 2012-02-08 trojan
Win32/Remtasu.A 2011-04-20 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.