Win32/SpyVoltar [Threat Name] go to Threat
Win32/SpyVoltar.B [Threat Variant Name]
|Detection created||Jul 14, 2013|
|Signature database version||8564|
The trojan serves as a backdoor. It can be controlled remotely.
The trojan does not create any copies of itself.
The trojan launches the following processes:
The trojan creates and runs a new thread with its own code within these running processes.
The trojan schedules a task that causes the following file to be executed repeatedly:
In order to be executed on every system start, the trojan sets the following Registry entry:
- "%variable1%" = "%malwarefilepath%"
The trojan creates the following files:
A string with variable content is used instead of %variable1-2% .
The trojan collects information related to the following applications:
- FAR Manager
- FTP Commander
- Total Commander
The following information is collected:
- FTP account information
- operating system version
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (20) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.