Win32/Spy.Aibatook [Threat Name] go to Threat

Win32/Spy.Aibatook.E [Threat Variant Name]

Category trojan
Size 159232 B
Aliases Trojan-Ransom.Win32.Blocker.czew (Kaspersky)
  RDN/PWS-Mmorpg!kl.trojan (McAfee)
  Trojan:Win32/Dynamer!dtc (Microsoft)
  Infostealer.Bankeiya (Symantec)
  Win32:OnLineGames-GLV (Avast)
Short description

Win32/Spy.Aibatook.E is a trojan that steals passwords and other sensitive information. The file is run-time compressed using VMProtect .


When executed, the trojan creates the following files:

  • %appdata%\­%variable%.dll (113664 B, Win32/Spy.Aibatook.E)

A string with variable content is used instead of %variable% .

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TcpIpCfg" = "Rundll32 "%appdata%\­%variable%.dll" MainThread"

This causes the trojan to be executed on every system start.

The trojan executes the following command:

  • Rundll32 "%appdata%\­%variable%.dll" MainThread

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The following programs are affected:

  • Internet Explorer

The trojan collects passwords used to access the following site:


The trojan attempts to send gathered information to a remote machine.

The trojan may display the following fake dialog boxes:

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • stop itself for a certain time period
  • send gathered information

The trojan keeps various information in the following files:

  • %appdata%\­conf
  • %appdata%\­ini.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.