Win32/Spatet [Threat Name] go to Threat
Win32/Spatet.T [Threat Variant Name]
| Category | trojan |
| Size | 2695168 B |
| Aliases | Trojan.Win32.Agent.adujb (Kaspersky) |
| Worm:Win32/Rebhip.A (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\Microsoft\argwar.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "Policies" = "%appdata%\Microsoft\argwar.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "Policies" = "%appdata%\Microsoft\argwar.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\SOFTWARE]
- "FirstExecution" = "%variable%"
- "NewIdentification" = "argwar"
A string with variable content is used instead of %variable% .
The trojan creates the following files:
- %temp%\%username%2.txt (394328 B)
- %appdata%\%username%-wchelper.dll (154283 B)
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
Win32/Spatet.T is a trojan that steals sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- FTP account information
- current screen resolution
- installed program components under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] Registry subkeys
- list of running services
The following programs are affected:
- DynDNS
- FileZilla
- Flock
- Internet Download Manager
- Internet Explorer
- Mozilla Firefox
- Paltalk
- Pidgin
- Trillian
- Vitalwerks Dynamic Update Client
- Windows Live Messenger
- Yahoo! Messenger
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP, TCP, FTP protocol is used.
It can execute the following operations:
- create Registry entries
- delete Registry entries
- various Registry operations
- capture webcam video/voice
- show/hide application windows
- set file attributes
- open the CD/DVD drive
- send the list of files on a specific drive to a remote computer
- create files
- create folders
- delete folders
- delete files
- move files
- send files to a remote computer
- steal information from the Windows clipboard
- uninstall and delete applications
- capture screenshots
- turn the display off
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- execute shell commands
- send open TCP and UDP port numbers to a remote computer
- send the list of running processes to a remote computer
- terminate running processes
- send the list of disk devices and their type to a remote computer
- obtain the list of shared network folders
- shut down/restart the computer
- log off the current user
- start/stop services
- simulate user's input (clicks, taps)
- log keystrokes
- swap mouse buttons
- block keyboard and mouse input
- open a specific URL address
- set up a proxy server
- redirect network traffic
- uninstall itself
- update itself to a newer version