Win32/Remtasu [Threat Name] go to Threat

Win32/Remtasu.Y [Threat Variant Name]

Category trojan
Size 331941 B
Detection created Feb 08, 2012
Detection database version 8525
Aliases Trojan.Win32.Jorik.Xtrat.bsv (Kaspersky)
  Backdoor:Win32/Xtrat.A (Microsoft)
  Trojan.Malcol (Symantec)
Short description

Win32/Remtasu.Y is a trojan that steals sensitive information. The file is run-time compressed using RAR SFX .

Installation

When executed, the trojan creates the following files:

  • C:\­Program Files\­fg.exe (227589 B, Win32/Remtasu.Y)
  • C:\­Program Files\­maria sherry3.jpg (8827 B)

The files are then executed.


The trojan creates the following files:

  • %system%\­Server.exe\­Server.exe (227589 B, Win32/Remtasu.Y)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKLM" = "%system%\­Server.exe\­Server.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKCU" = "%system%\­Server.exe\­Server.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­{5460C4DF-B266-909E-CB58-E32B79832EB2}]
    • "StubPath" = "%system%\­Server.exe\­Server.exe restart"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­((Mutex))]
    • "ServerStarted" = "%variable1%"
    • "InstalledServer" = "%system%\­Server.exe\­Server.exe"
    • "LastSize" = "%variable2%"

A string with variable content is used instead of %variable1-2% .


The trojan launches the following processes:

  • explorer.exe
  • %defaultbrowser%
  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

Win32/Remtasu.Y is a trojan that steals sensitive information.


It can execute the following operations:

  • steal information from the Windows clipboard
  • log keystrokes

The collected information is stored in the following file:

  • %appdata%\­Microsoft\­Windows\­((Mutex)).dat

The trojan attempts to send gathered information to a remote machine.


The FTP protocol is used.

Other information

The trojan contains an URL address.


It tries to download the other part of the infiltration from the address. The HTTP protocol is used.


The file is stored in the following location:

  • %appdata%\­Microsoft\­Windows\­((Mutex)).xtr

The file is executed as a thread in the folowing process:

  • %system%\­Server.exe\­Server.exe

The trojan may create the following files:

  • %appdata%\­Microsoft\­Windows\­((Mutex)).cfg

Please enable Javascript to ensure correct displaying of this content and refresh this page.