Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spatet.C

Aliases:Trojan-Dropper.MSIL.StubRC.bmd (Kaspersky), Generic Dropper.uu (McAfee), VirTool:Win32/BeeInject (Microsoft) 
Type of infiltration:Trojan  
Size:903177 B 
Affected platforms:Microsoft Windows 
Signature database version:5207 (20100618) 

Short description

The trojan serves as a backdoor.

Installation

When executed, the trojan creates the following files:
  • %system%winbotexstarter.exe (903177 B)
  • %temp%UuU.uUu
  • %temp%XxX.xXx
The trojan may create the following files:
  • %appdata%cglogs.dat
In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
    Installed Components{OTU7263I-A7TK-4J0A-04X5-K0B7SQ7YNB2S}]
    "StubPath" = "%system%winbotexstarter.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiesExplorerRun]
    "Policies" = "%system%winbotexstarter.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "HKLM" = "%system%winbotexstarter.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
    Installed Components{OTU7263I-A7TK-4J0A-04X5-K0B7SQ7YNB2S}]
    "StubPath" = "%system%winbotexstarter.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiesExplorerRun]
    "Policies" = "%system%winbotexstarter.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "HKLM" = "%system%winbotexstarter.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesExplorerRun]
    "Policies" = "%system%winbotexstarter.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "HKCU" = "%system%winbotexstarter.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareRune]
    "FirstExecution" = "%variable%"
    "NewIdentification" = "Rune"
A string with variable content is used instead of %variable%.

Information stealing

The trojan collects the following information:
  • antivirus software detected on the affected machine
  • operating system version
  • user name
  • computer name
  • installed software
  • Mozilla Firefox account information
  • antivirus software detected on the affected machine
  • operating system version
  • user name
  • computer name
  • installed software
  • Mozilla Firefox account information
  • list of disk devices and their type
  • list of running processes
  • memory status
  • CPU information

Other information

It can execute the following operations:
  • retrieve information from protected storage and send it to
    the remote computer
  • capture webcam video/voice
  • log keystrokes
  • steal information from the Windows clipboard
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • retrieve information from protected storage and send it to
    the remote computer
  • capture webcam video/voice
  • log keystrokes
  • steal information from the Windows clipboard
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • various filesystem operations
  • run executable files
  • create Registry entries
  • delete Registry entries
  • connect to remote computers to a specific port
  • capture screenshots
  • block keyboard and mouse input
  • send open TCP and UDP port numbers to a remote computer
  • redirect network traffic
  • open the CD/DVD drive
  • shut down/restart the computer
  • show/hide application windows
  • send the list of running processes to a remote computer
  • terminate running processes
  • remove itself from the infected computer
  • update itself to a newer version
  • set up an Proxy server