Win32/SpyVoltar [Threat Name] go to Threat

Win32/SpyVoltar.B [Threat Variant Name]

Category trojan
Size 152064 B
Detection created Jul 14, 2013
Signature database version 8564
Aliases Trojan.Win32.Inject.gudd (Kaspersky)
  Trojan:Win32/Vundo (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan launches the following processes:

  • %malwarefilepath%

The trojan creates and runs a new thread with its own code within these running processes.


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %malwarefilepath%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%malwarefilepath%"

The trojan creates the following files:

  • %currentfolder%\­%variable2%

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects information related to the following applications:

  • CuteFTP
  • FAR Manager
  • FileZilla
  • FlashFXP
  • FTP Commander
  • SmartFTP
  • Total Commander
  • WinSCP

The following information is collected:

  • FTP account information
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (20) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Please enable Javascript to ensure correct displaying of this content and refresh this page.