Win32/Spy.Pavica [Threat Name] go to Threat

Win32/Spy.Pavica.AC [Threat Variant Name]

Category trojan
Size 54272 B
Detection created Oct 05, 2015
Detection database version 12357
Aliases TR/Spy.Agent.54272.11 (Avira)
  RDN/GenericPWS.ytrojan (McAfee)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan is probably a part of other malware.


The trojan may create the following files:

  • %malwarefolder%\­tvr.cfg
  • %malwarefolder%\­tv.ini
  • %malwarefolder%\­TeamViewer.ini
  • %malwarefolder%\­TeamViewr_Resource_en.dll
  • %malwarefolder%\­TeamViewer_Desktop.exe
  • %malwarefolder%\­tv_w32.exe
  • %malwarefolder%\­tv_x64.exe
  • %malwarefolder%\­tv_w32.dll
  • %malwarefolder%\­tv_x64.dll
  • %malwarefolder%\­tvrd.bat
  • %startup%\­%variable1%.lnk

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe, %variable2%"
    • "ParseAutoexec" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%variable4%"

A string with variable content is used instead of %variable1-4% .


Configuration is stored in the following file:

  • %malwarefolder%\­tvr.cfg
Information stealing

The trojan collects the following information:

  • installed antivirus software
  • CPU information
  • operating system version
  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The HTTP protocol is used in the communication.


The trojan may create and run a new thread with its own program code within any running process.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • remove itself from the infected computer
  • various filesystem operations
  • terminate running processes
  • shut down/restart the computer

The trojan hooks the following Windows APIs:

  • SetWindowTextW (user32.dll)
  • CreateWindowExW (user32.dll)
  • RegisterClassExW (user32.dll)
  • CreateDialogParamW (user32.dll)
  • DialogBoxParamW (user32.dll)
  • ShowWindow (user32.dll)
  • MessageBoxW (user32.dll)
  • MoveFileExW (kernel32.dll)
  • GetCommandLineW (kernel32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.