Win32/Tagak [Threat Name] go to Threat
Win32/Tagak.A [Threat Variant Name]
| Category | trojan |
| Size | 846848 B |
Short description
Win32/Tagak.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %appdata%\advantage\AdVantage.exe
- %appdata%\Google Talk\googletalk.exe
- %appdata%\Skype\Phone\Skype.exe
The trojan creates the following files:
- %appdata%\Microsoft\%variable1%\%variable2%
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable3%" = ""%appdata%\%malwarefilename%" /%variable4%"
A string with variable content is used instead of %variable1-3% .
The %variable4% is one of the following strings:
- /nosplash
- /minimized
- /autostart
The trojan executes the following commands:
- CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL "%originalmalwarefilepath%"
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Information stealing
Win32/Tagak.A is a trojan that steals sensitive information.
The trojan collects the following information:
- information about the operating system and system settings
The trojan attempts to send gathered information to a remote machine.
The trojan contains a list of (9) URLs. The HTTP protocol is used.
Other information
The trojan terminates its execution if it detects that it's running in a specific virtual environment.