Threat Description

Backdoor:​W32/Agent.CTH

Details

Aliases: Backdoor:​W32/Agent.CTH
Category: Malware
Type: Backdoor
Platform: W32

Summary



Backdoor:W32/Agent.CTH is a backdoor that can steal information. Stolen information is sent to a collection site using an HTTP POST command.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Upon execution, this malware drops the following files:

  • %windir%\system32\aspimgr.exe
  • %windir%\s32.txt
  • %windir%\ws386.ini

The files s32.txt and ws386.ini are logs.As part of its autostart mechanism, it installs itself as a system service.

  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ ImagePath = 'C:\WINDOWS\System32\aspimgr.exe'
  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ DisplayName = 'Microsoft ASPI Manager'

It also creates the following registry entry:

  • HKLM\SOFTWARE\Microsoft\Sft\ {5BB68E6F-37D5-468A-992B-F34CD2A191EA}

It checks for Internet connectivity by attempting to connect to the following sites:

  • www.yahoo.com
  • www.web.de

This malware can steal information such as:

  • Cute FTP client username/passwords
  • Inetcomm server username/passwords
  • IPswitch WS_FTP client username/passwords
  • Outlook account username/passwords
  • Protected storage username/passwords
  • The Bat! username/passwords

Stolen information is sent to a collection site using an HTTP POST command.It also collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More