Home / malware TrojanSpy:Win32/Keatep.B
First posted on 10 May 2010.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Keatep.B is also known as Win-Trojan/Xema.variant (AhnLab), W32/Keatep.B.gen!Eldorado (Authentium (Comma, W32/Spambot.gen.3248299 (Norman), Trojan horse SpamTool.FWG (AVG), Win32/Maazben!generic (CA), Trj/SpamBot.AR (Panda).
Explanation :
TrojanSpy:Win32/Keatep.B is a trojan that steals FTP credentials and sends it to a remote attacker. It also injects malicious Iframe code that points to a certain Web site. It also disables the Windows firewall and connects to a remote Web site to potentially download arbitrary files.
Top
TrojanSpy:Win32/Keatep.B is a trojan that steals FTP credentials and sends it to a remote attacker. It also injects malicious Iframe code that points to a certain Web site. It also disables the Windows firewall and connects to a remote Web site to potentially download arbitrary files. Installation When executed, TrojanSpy:Win32/Keatep.B creates the mutex "SIDUY928WUOI0192" to ensure that only one instance of itself is running. Payload Injects malicious Iframe TrojanSpy:Win32/Keatep.B may try to inject a potentially malicious Iframe pointing to the Web site "besloqawe.com". Disables Windows firewall TrojanSpy:Win32/Keatep.B attempts to disable the Windows firewall by running the following command: netsh firewall set opmode disable It also adds itself to the authorized application list in the Windows firewall: Adds value: "<Malware File>" With data: "<Malware File>:*:enabled:ipsec" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Connects to a remote Web site TrojanSpy:Win32/Keatep.B attempts to connect to the following Web sites to download other files:microupdate14.info kukutrustnet888.info Steals FTP credentials TrojanSpy:Win32/Keatep.B attempts to steal credentials for various FTP programs, such as "Total Commander" and "FileZilla". If gathered, TrojanSpy:Win32/Keatep.B uploads the gathered credentials to a remote location.
Analysis by Andrei Florin SaygoLast update 10 May 2010