Win32/Spy.Tewgol [Threat Name] go to Threat

Win32/Spy.Tewgol.L [Threat Variant Name]

Category trojan
Size 353464 B
Detection created Jun 30, 2017
Detection database version 15671
Aliases Trojan.Win32.Agent.nfaqyg (Kaspersky)
  TrojanSpy:Win32/Tougle.E!bit (Microsoft)
Short description

The trojan serves as a proxy server. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %commonappdata%\­wta%randomnumber%.exe

The trojan registers itself as a system service using the following name:

  • wta%randomnumber%

The variable %randomnumber% represents a randomly generated number in the range 0 - 65535 .

The trojan may create the following files:

  • %localappdata%\­1
  • %temp%\­Marker3717.dat
  • %commonappdata%\­_lg.3sap

The trojan may delete the following files:

  • %commonappdata%\­_lg.1sap
  • %commonappdata%\­_lg.2sap
  • %commonappdata%\­_lg.3sap

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­CDESoft]
    • "State" = 1
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used.

The trojan serves as a proxy server.

The trojan keeps various information in the following files:

  • %localappdata%\­1

Please enable Javascript to ensure correct displaying of this content and refresh this page.