Home / malware TrojanSpy:Win32/Clemint.A
First posted on 13 October 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Clemint.A.
Explanation :
Threat behavior
Installation
TrojanSpy:Win32/Clemint.A copies itself to %windir%\mcclient.exe.
Payload
Changes system security settings
TrojanSpy:Win32/Clemint.A adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:
Adds value: "C:\WINDOWS\mcclient.exe"
With data: "c:\windows\mcclient.exe:*:enabled:mcclient"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Contacts remote hosts
The malware can contact the following remote hosts:
- mcclient.0catch.com using port 80
- mcclient.freetzi.com using port 80
- tools.google.com using port 80
- tools.google.com using port 443
Commonly, malware contacts a remote host to:
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files (including updates and other malware)
- Receive instruction from a remote hacker
- Upload information taken from your PC
This malware description was produced and published using automated analysis of file SHA1 72110afaaa50160f1d9cc33fe1b72e0bde118095.Symptoms
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
%windir%\mcclient.exe
- You see these entries or keys in your registry:
Sets value: "C:\WINDOWS\mcclient.exe"
With data: "c:\windows\mcclient.exe:*:enabled:mcclient"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListLast update 13 October 2014
