Win32/Spatet [Threat Name] go to Threat
Win32/Spatet.A [Threat Variant Name]
Category | trojan,worm |
Size | 300056 B |
Aliases | Trojan.Win32.Agent.dfsa (Kaspersky) |
Trojan:Win32/Malagent (Microsoft) | |
Infostealer (Symantec) |
Short description
Win32/Spatet.A is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The trojan contains a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- C:\Windows\System32\Services\svchost.exe (300056 B)
- %appdata%\Services\svchost.exe (300056 B)
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "Policies" = "%filepath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "Policies" = "%filepath%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Bios" = "%filepath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Bios" = "%filepath%"
The %filepath% is one of the following strings:
- C:\Windows\System32\Services\svchost.exe
- %appdata%\Services\svchost.exe
The trojan creates and runs a new thread with its own program code in all running processes.
Information stealing
The trojan collects the following information:
- RAS accounts
- HTML forms content
- memory status
- list of running processes
- Windows Protected Storage passwords and credentials
- Mozilla Firefox account information
- user name
- computer name
- computer IP address
- network adapter information
- current screen resolution
- operating system version
The trojan collects information related to the following applications:
- Vitalwerks DUC
- Windows Live
- Internet Explorer
- Mozilla Firefox
- Google Chrome
The trojan can send the information to a remote machine. The HTTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
It can execute the following operations:
- update itself to a newer version
- remove itself from the infected computer
- various filesystem operations
- create folders
- delete folders
- set file attributes
- move files
- run executable files
- terminate running processes
- send the list of running processes to a remote computer
- download files from a remote computer and/or the Internet
- send files to a remote computer
- delete cookies
- send the list of disk devices and their type to a remote computer
- create Registry entries
- delete Registry entries
- retrieve CPU information
- steal information from the Windows clipboard
- open a specific URL address
- collect information about the operating system used
- log keystrokes
- shut down/restart the computer
- capture screenshots
- monitor network traffic
- open ports
- block keyboard and mouse input
- capture webcam video/voice
- open the CD/DVD drive
- show/hide application windows
The trojan may create the following files:
- %temp%\XX--XX--XX.txt
- %temp%\NOIP.abc
- %temp%\xxxyyyzzz.dat
- %temp%\MSN.abc
- %temp%\FIREFOX.abc
- %temp%\IELOGIN.abc
- %temp%\IEPASS.abc
- %temp%\IEAUTO.abc
- %temp%\IEWEB.abc
- %temp%\XxX.xXx
- %temp%\UuU.uUu
- %temp%\%number1%.tmp
- %appdata%\logs.dat
- %appdata%\%number2%.txt"
- %appdata%\SQLite3.dll
The %number1-2% represents a random number.
The following Registry entry is deleted:
- [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}]
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}]
- "StubPath" = "%filepath%"
- [HKEY_CURRENT_USER\SOFTWARE\g0dl1ke's Slave]
- "NewIdentification" = "g0dl1ke's Slave"
- "FirstExecution" = "%random%"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%variable%" = "%variable%:*:Enabled:Windows Firewall Update"
A string with variable content is used instead of %random%, %variable% .