TROJ_AGENT.AHTU

This Trojan arrives as a file downloaded from a certain URL.

Upon execution, it drops a copy of itself in the system folder. It then appends extra codes at the end of file of the dropped copy to avoid easy detection.

It modifies a registry entry to enable its automatic execution at system startup. It also creates a registry entry as part of its installation routine.

It connects to a certain Web site to download an encrypted configuration file. Once decrypted, the downloaded configuration file contains a list of targeted bank-related Web sites to monitor from which it steals information. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

It gathers information by logging user keystrokes.

This Trojan attempts to retrieve information from bank(s)/banking institution(s).

It steals sensitive information, such as user names and passwords and saves them in a certain file. This routine risks the exposure of sensitive information, which may then lead to the unauthorized use of the stolen data. It then sends the said file to a certain URL via HTTP POST.

It creates a mutex to ensure that only one instance of itself is running in memory. It also hides files and processes. It checks for the presence of certain processes which are related to popular firewall applications.

Related Items