Win32/SpyVoltar [Threat Name] go to Threat

Win32/SpyVoltar.A [Threat Variant Name]

Category trojan
Size 175386 B
Detection created Oct 03, 2011
Signature database version 6514
Aliases Trojan.Win32.Buzus.irwz (Kaspersky)
  ZeroAccess.dr.gen.a.trojan (McAfee)
  Trojan:Win32/Vundo.gen!AW (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­netprotocol.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Netprotocol" = "%appdata%\­netprotocol.exe"

The trojan creates the following files:

  • %currentfolder%\­System.log
Information stealing

The trojan collects information related to the following applications:

  • FTP Commander
  • Far Manager
  • FileZilla
  • FlashFXP
  • Smart FTP
  • Total Commander
  • WinSCP

The following information is collected:

  • FTP account information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • update itself to a newer version

The trojan changes the home page of the following web browsers:

  • Internet Explorer
  • Opera
  • Mozilla Firefox

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan program is designed to deliver various advertisements to the user's systems.

Please enable Javascript to ensure correct displaying of this content and refresh this page.