Win32/Spatet [Threat Name] go to Threat
Win32/Spatet.C [Threat Variant Name]
| Category | trojan |
| Size | 903177 B |
| Aliases | Trojan-Dropper.MSIL.StubRC.bmd (Kaspersky) |
| Generic.Dropper.uu (McAfee) | |
| VirTool:Win32/BeeInject (Microsoft) |
Short description
The trojan serves as a backdoor.
Installation
When executed, the trojan creates the following files:
- %system%\winbotex\starter.exe (903177 B)
- %temp%\UuU.uUu
- %temp%\XxX.xXx
The trojan may create the following files:
- %appdata%\cglogs.dat
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{OTU7263I-A7TK-4J0A-04X5-K0B7SQ7YNB2S}]
- "StubPath" = "%system%\winbotex\starter.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
- "Policies" = "%system%\winbotex\starter.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "HKLM" = "%system%\winbotex\starter.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "Policies" = "%system%\winbotex\starter.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "HKCU" = "%system%\winbotex\starter.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Rune]
- "FirstExecution" = "%variable%"
- "NewIdentification" = "Rune"
A string with variable content is used instead of %variable% .
Information stealing
The trojan collects the following information:
- antivirus software detected on the affected machine
- operating system version
- user name
- computer name
- installed software
- Mozilla Firefox account information
- list of disk devices and their type
- list of running processes
- memory status
- CPU information
Other information
It can execute the following operations:
- retrieve information from protected storage and send it to the remote computer
- capture webcam video/voice
- log keystrokes
- steal information from the Windows clipboard
- download files from a remote computer and/or the Internet
- send files to a remote computer
- various filesystem operations
- run executable files
- create Registry entries
- delete Registry entries
- connect to remote computers to a specific port
- capture screenshots
- block keyboard and mouse input
- send open TCP and UDP port numbers to a remote computer
- redirect network traffic
- open the CD/DVD drive
- shut down/restart the computer
- show/hide application windows
- send the list of running processes to a remote computer
- terminate running processes
- remove itself from the infected computer
- update itself to a newer version
- set up a proxy server