Win32/TrojanDownloader.Stantinko [Threat Name] go to Threat

Win32/TrojanDownloader.Stantinko.P [Threat Variant Name]

Category trojan
Size 291840 B
Detection created Dec 07, 2014
Detection database version 10841
Aliases RDN/Downloader.a!ul.trojan (McAfee)
  TR/Rogue.291840.18 (Avira)
Short description

Win32/TrojanDownloader.Stantinko.P is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan creates the following file:

  • %system%\­KBDMAI.dll (219681 B, Win32/TrojanDownloader.Stantinko.P)

The trojan registers file as a system service.


This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI]
    • "Description" = "Virtual keyboard 32-bit service"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI\­Parameters]
    • "ServiceDll" = "%systemroot%\­System32\­KBDMAI.dll"
    • "info" = "%variable1%"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI\­Parameters\­System]
    • "pr" = "pr"
    • "p3" = "p3"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "netsvcs" = "%originalvalue%, KBDMAI"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­KBDMAI\­Parameters]
    • "group" = "%variable2%"

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.