Win32/Spatet [Threat Name] go to Threat

Win32/Spatet.A [Threat Variant Name]

Category	trojan,worm
Size	300056 B
Aliases	Trojan.Win32.Agent.dfsa (Kaspersky)
	Trojan:Win32/Malagent (Microsoft)
	Infostealer (Symantec)

Short description

Win32/Spatet.A is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The trojan contains a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

C:\Windows\System32\Services\svchost.exe (300056 B)
%appdata%\Services\svchost.exe (300056 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "Policies" = "%filepath%"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "Policies" = "%filepath%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Bios" = "%filepath%"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Bios" = "%filepath%"

The %filepath% is one of the following strings:

C:\Windows\System32\Services\svchost.exe
%appdata%\Services\svchost.exe

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

The trojan collects the following information:

RAS accounts
HTML forms content
memory status
list of running processes
Windows Protected Storage passwords and credentials
Mozilla Firefox account information
user name
computer name
computer IP address
network adapter information
current screen resolution
operating system version

The trojan collects information related to the following applications:

Vitalwerks DUC
Windows Live
Internet Explorer
Mozilla Firefox
Google Chrome

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

update itself to a newer version
remove itself from the infected computer
various filesystem operations
create folders
delete folders
set file attributes
move files
run executable files
terminate running processes
send the list of running processes to a remote computer
download files from a remote computer and/or the Internet
send files to a remote computer
delete cookies
send the list of disk devices and their type to a remote computer
create Registry entries
delete Registry entries
retrieve CPU information
steal information from the Windows clipboard
open a specific URL address
collect information about the operating system used
log keystrokes
shut down/restart the computer
capture screenshots
monitor network traffic
open ports
block keyboard and mouse input
capture webcam video/voice
open the CD/DVD drive
show/hide application windows

The trojan may create the following files:

%temp%\XX--XX--XX.txt
%temp%\NOIP.abc
%temp%\xxxyyyzzz.dat
%temp%\MSN.abc
%temp%\FIREFOX.abc
%temp%\IELOGIN.abc
%temp%\IEPASS.abc
%temp%\IEAUTO.abc
%temp%\IEWEB.abc
%temp%\XxX.xXx
%temp%\UuU.uUu
%temp%\%number1%.tmp
%appdata%\logs.dat
%appdata%\%number2%.txt"
%appdata%\SQLite3.dll

The %number1-2% represents a random number.

The following Registry entry is deleted:

[HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}]

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}]
- "StubPath" = "%filepath%"
[HKEY_CURRENT_USER\SOFTWARE\g0dl1ke's Slave]
- "NewIdentification" = "g0dl1ke's Slave"
- "FirstExecution" = "%random%"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%variable%:*:Enabled:Windows Firewall Update"

A string with variable content is used instead of %random%, %variable% .