F-Secure
Tools
Backdoor:W32/Agent.CTH
| Name : | Backdoor:W32/Agent.CTH |
| Category: | Malware |
| Type: | Backdoor |
| Platform: | W32 |
Summary
Backdoor:W32/Agent.CTH is a backdoor that can steal information.
Stolen information is sent to a collection site using an HTTP POST command.
Stolen information is sent to a collection site using an HTTP POST command.
Additional Details
Upon execution, this malware drops the following files:
The files s32.txt and ws386.ini are logs.
As part of its autostart mechanism, it installs itself as a system service.
It also creates the following registry entry:
It checks for Internet connectivity by attempting to connect to the following sites:
This malware can steal information such as:
Stolen information is sent to a collection site using an HTTP POST command.
It also collects e-mail addresses but ignores addresses with the following strings:
• %windir%\system32\aspimgr.exe
• %windir%\s32.txt
• %windir%\ws386.ini
The files s32.txt and ws386.ini are logs.
As part of its autostart mechanism, it installs itself as a system service.
• HKLM\SYSTEM\ControlSet001\Services\aspimgr\
ImagePath = 'C:\WINDOWS\System32\aspimgr.exe'
ImagePath = 'C:\WINDOWS\System32\aspimgr.exe'
• HKLM\SYSTEM\ControlSet001\Services\aspimgr\
DisplayName = 'Microsoft ASPI Manager'
DisplayName = 'Microsoft ASPI Manager'
It also creates the following registry entry:
• HKLM\SOFTWARE\Microsoft\Sft\
{5BB68E6F-37D5-468A-992B-F34CD2A191EA}
{5BB68E6F-37D5-468A-992B-F34CD2A191EA}
It checks for Internet connectivity by attempting to connect to the following sites:
• www.yahoo.com
• www.web.de
This malware can steal information such as:
• Cute FTP client username/passwords
• Inetcomm server username/passwords
• IPswitch WS_FTP client username/passwords
• Outlook account username/passwords
• Protected storage username/passwords
• The Bat! username/passwords
Stolen information is sent to a collection site using an HTTP POST command.
It also collects e-mail addresses but ignores addresses with the following strings:
• abuse
• accoun
• admin
• anyone
• apache.org
• arachnoid
• -bugs
• ca.com
• caube
• cauce
• cauce.org
• certific
• -certs
• ci.el-paso.tx.us
• cloudmark.com
• digsigtrust
• e-trust
• example
• fraud
• gold-certs
• google
• ht.ht
• icrosof
• linux
• listserv
• mailwasher
• majordomo
• messagelabs
• mydomai
• nobody
• nodomai
• noone
• nothing
• paulgraham.com
• phishing
• postmaster
• privacy
• rating
• rx.t-online
• samples
• secur
• service
• somebody
• someone
• submit
• support
• symantec
• thawte
• the.bat
• valicert
• verisign
• verisign.com
• webmaster
• webroot.com