Threat Description

Backdoor:​W32/Agent.CTH

Details

Aliases:Backdoor:​W32/Agent.CTH
Category:Malware
Type:Backdoor
Platform:W32

Summary



Backdoor:W32/Agent.CTH is a backdoor that can steal information. Stolen information is sent to a collection site using an HTTP POST command.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Upon execution, this malware drops the following files:

  • %windir%\system32\aspimgr.exe
  • %windir%\s32.txt
  • %windir%\ws386.ini

The files s32.txt and ws386.ini are logs.As part of its autostart mechanism, it installs itself as a system service.

  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ ImagePath = 'C:\WINDOWS\System32\aspimgr.exe'
  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ DisplayName = 'Microsoft ASPI Manager'

It also creates the following registry entry:

  • HKLM\SOFTWARE\Microsoft\Sft\ {5BB68E6F-37D5-468A-992B-F34CD2A191EA}

It checks for Internet connectivity by attempting to connect to the following sites:

  • www.yahoo.com
  • www.web.de

This malware can steal information such as:

  • Cute FTP client username/passwords
  • Inetcomm server username/passwords
  • IPswitch WS_FTP client username/passwords
  • Outlook account username/passwords
  • Protected storage username/passwords
  • The Bat! username/passwords

Stolen information is sent to a collection site using an HTTP POST command.It also collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More