Threat Description

Backdoor: W32/Agent.CTH


Category: Malware
Type: Backdoor
Platform: W32
Aliases: Backdoor:W32/Agent.CTH


Backdoor:W32/Agent.CTH is a backdoor that can steal information. Stolen information is sent to a collection site using an HTTP POST command.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Upon execution, this malware drops the following files:

  • %windir%\system32\aspimgr.exe
  • %windir%\s32.txt
  • %windir%\ws386.ini

The files s32.txt and ws386.ini are logs.As part of its autostart mechanism, it installs itself as a system service.

  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ ImagePath = 'C:\WINDOWS\System32\aspimgr.exe'
  • HKLM\SYSTEM\ControlSet001\Services\aspimgr\ DisplayName = 'Microsoft ASPI Manager'

It also creates the following registry entry:

  • HKLM\SOFTWARE\Microsoft\Sft\ {5BB68E6F-37D5-468A-992B-F34CD2A191EA}

It checks for Internet connectivity by attempting to connect to the following sites:


This malware can steal information such as:

  • Cute FTP client username/passwords
  • Inetcomm server username/passwords
  • IPswitch WS_FTP client username/passwords
  • Outlook account username/passwords
  • Protected storage username/passwords
  • The Bat! username/passwords

Stolen information is sent to a collection site using an HTTP POST command.It also collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • arachnoid
  • -bugs
  • caube
  • cauce
  • certific
  • -certs
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • webmaster


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More