Win32/Spatet [Threat Name] go to Threat

Win32/Spatet.T [Threat Variant Name]

Category trojan
Size 2695168 B
Detection created Feb 13, 2011
Signature database version 7470
Aliases Trojan.Win32.Agent.adujb (Kaspersky)
  Worm:Win32/Rebhip.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­argwar.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Policies" = "%appdata%\­Microsoft\­argwar.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Policies" = "%appdata%\­Microsoft\­argwar.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE]
    • "FirstExecution" = "%variable%"
    • "NewIdentification" = "argwar"

A string with variable content is used instead of %variable% .


The trojan creates the following files:

  • %temp%\­%username%2.txt (394328 B)
  • %appdata%\­%username%-wchelper.dll (154283 B)

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

Win32/Spatet.T is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information
  • current screen resolution
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • list of running services

The following programs are affected:

  • DynDNS
  • FileZilla
  • Flock
  • Internet Download Manager
  • Internet Explorer
  • Mozilla Firefox
  • Paltalk
  • Pidgin
  • Trillian
  • Vitalwerks Dynamic Update Client
  • Windows Live Messenger
  • Yahoo! Messenger

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP, TCP, FTP protocol is used.


It can execute the following operations:

  • create Registry entries
  • delete Registry entries
  • various Registry operations
  • capture webcam video/voice
  • show/hide application windows
  • set file attributes
  • open the CD/DVD drive
  • send the list of files on a specific drive to a remote computer
  • create files
  • create folders
  • delete folders
  • delete files
  • move files
  • send files to a remote computer
  • steal information from the Windows clipboard
  • uninstall and delete applications
  • capture screenshots
  • turn the display off
  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • execute shell commands
  • send open TCP and UDP port numbers to a remote computer
  • send the list of running processes to a remote computer
  • terminate running processes
  • send the list of disk devices and their type to a remote computer
  • obtain the list of shared network folders
  • shut down/restart the computer
  • log off the current user
  • start/stop services
  • simulate user's input (clicks, taps)
  • log keystrokes
  • swap mouse buttons
  • block keyboard and mouse input
  • open a specific URL address
  • set up a proxy server
  • redirect network traffic
  • uninstall itself
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.