|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Backdoor:W32/Agent.CTH
|
|
|
| Radar |
 |
|
|
|
Summary
|
Backdoor:W32/Agent.CTH is a backdoor that can steal information.
Stolen information is sent to a collection site using an HTTP POST command. |
|
|
|
Detailed Description
|
Upon execution, this malware drops the following files:
- %windir%\system32\aspimgr.exe
- %windir%\s32.txt
- %windir%\ws386.ini
The files s32.txt and ws386.ini are logs.
As part of its autostart mechanism, it installs itself as a system service.
- HKLM\SYSTEM\ControlSet001\Services\aspimgr\
ImagePath = 'C:\WINDOWS\System32\aspimgr.exe' - HKLM\SYSTEM\ControlSet001\Services\aspimgr\
DisplayName = 'Microsoft ASPI Manager'
It also creates the following registry entry:
- HKLM\SOFTWARE\Microsoft\Sft\
{5BB68E6F-37D5-468A-992B-F34CD2A191EA}
It checks for Internet connectivity by attempting to connect to the following sites:
This malware can steal information such as:
- Cute FTP client username/passwords
- Inetcomm server username/passwords
- IPswitch WS_FTP client username/passwords
- Outlook account username/passwords
- Protected storage username/passwords
- The Bat! username/passwords
Stolen information is sent to a collection site using an HTTP POST command.
It also collects e-mail addresses but ignores addresses with the following strings:
- abuse
- accoun
- admin
- anyone
- apache.org
- arachnoid
- -bugs
- ca.com
- caube
- cauce
- cauce.org
- certific
- -certs
- ci.el-paso.tx.us
- cloudmark.com
- digsigtrust
- e-trust
- example
- fraud
- gold-certs
- google
- ht.ht
- icrosof
- linux
- listserv
- mailwasher
- majordomo
- messagelabs
- mydomai
- nobody
- nodomai
- noone
- nothing
- paulgraham.com
- phishing
- postmaster
- privacy
- rating
- rx.t-online
- samples
- secur
- service
- somebody
- someone
- submit
- support
- symantec
- thawte
- the.bat
- valicert
- verisign
- verisign.com
- webmaster
- webroot.com
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: January 15, 2008
|
|
|
|
|
