Win32/Caphaw [Threat Name] go to Threat

Win32/Caphaw.I [Threat Variant Name]

Category trojan
Size 188416 B
Detection created Mar 22, 2012
Signature database version 6989
Aliases Trojan.Win32.Agent.smmf (Kaspersky)
  BackDoor-FHI.trojan (McAfee)
  Backdoor:Win32/Caphaw.H (Microsoft)
  Trojan.Shylock!gen4 (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using MPRESS .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable%}" = "%appdata%\­%variable%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 3
    • "1609" = 3
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1

The trojan creates the following file:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­user.js (320 B)

The trojan runs the following process:

  • %systemroot%\­System32\­svchost.exe

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

Win32/Caphaw.I is a trojan that steals sensitive information.


The trojan collects the following information:

  • computer name
  • operating system version
  • information about the operating system and system settings
  • CPU information
  • list of running processes
  • cookies
  • memory status
  • list of disk devices and their type
  • Internet Explorer version
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • Mozilla Firefox version
  • antivirus software detected on the affected machine
  • installed firewall application

The trojan collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTPS protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send files to a remote computer
  • remove itself from the infected computer
  • monitor network traffic
  • delete cookies
  • block access to specific websites
  • show/hide application windows
  • modify website content
  • watch the user's screen content
  • terminate running processes

The trojan hooks the following Windows APIs:

  • NtQueryDirectoryFile (ntdll.dll)
  • ZwQueryDirectoryFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • ZwEnumerateValueKey (ntdll.dll)
  • ExitWindowsEx (user32.dll)
  • GetMessageW (user32.dll)
  • InitiateSystemShutdownExW (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessW (kernel32.dll)
  • CreateProcessA (kernel32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetSetStatusCallback (wininet.dll)
  • send (ws2_32.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • PR_Close (nspr4.dll)
  • CERT_VerifyCertName (nss3.dll)
  • CERT_VerifyCertNow (nss3.dll)

The trojan hides its presence in the system.

Please enable Javascript to ensure correct displaying of this content and refresh this page.