Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Agent.CTH


Aliases:


Backdoor:W32/Agent.CTH

Malware
Backdoor
W32

Summary

Backdoor:W32/Agent.CTH is a backdoor that can steal information. Stolen information is sent to a collection site using an HTTP POST command.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Upon execution, this malware drops the following files:

  • %windir%\system32\aspimgr.exe
  • %windir%\s32.txt
  • %windir%\ws386.ini

The files s32.txt and ws386.ini are logs.As part of its autostart mechanism, it installs itself as a system service.

  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ ImagePath = 'C:\WINDOWS\System32\aspimgr.exe'
  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ DisplayName = 'Microsoft ASPI Manager'

It also creates the following registry entry:

  • HKLM\SOFTWARE\Microsoft\Sft\ {5BB68E6F-37D5-468A-992B-F34CD2A191EA}

It checks for Internet connectivity by attempting to connect to the following sites:

  • www.yahoo.com
  • www.web.de

This malware can steal information such as:

  • Cute FTP client username/passwords
  • Inetcomm server username/passwords
  • IPswitch WS_FTP client username/passwords
  • Outlook account username/passwords
  • Protected storage username/passwords
  • The Bat! username/passwords

Stolen information is sent to a collection site using an HTTP POST command.It also collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free