Win32/TrojanDownloader.Stantinko [Threat Name] go to Threat

Win32/TrojanDownloader.Stantinko.P [Threat Variant Name]

Category trojan
Size 291840 B
Detection created Dec 07, 2014
Detection database version 10841
Aliases RDN/Downloader.a!ul.trojan (McAfee)
  TR/Rogue.291840.18 (Avira)
Short description

Win32/TrojanDownloader.Stantinko.P is a trojan which tries to download other malware from the Internet. It can be controlled remotely.


The trojan does not create any copies of itself.

The trojan creates the following file:

  • %system%\­KBDMAI.dll (219681 B, Win32/TrojanDownloader.Stantinko.P)

The trojan registers file as a system service.

This causes the trojan to be executed on every system start.

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI]
    • "Description" = "Virtual keyboard 32-bit service"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI\­Parameters]
    • "ServiceDll" = "%systemroot%\­System32\­KBDMAI.dll"
    • "info" = "%variable1%"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI\­Parameters\­System]
    • "pr" = "pr"
    • "p3" = "p3"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "netsvcs" = "%originalvalue%, KBDMAI"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI\­Parameters]
    • "group" = "%variable2%"

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.