Microsoft security software detects and removes this threat.

This threat can steal your personal information, such as your online user names and passwords.

It is installed on your PC when you open a file attached to a phishing email.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Trojan:Win32/Retefe.A has been used in a number of targeted attacks. We have seen it used in various forms, including packed with UPX, and protected by custom packers to deter detection by security products.


It is usually distributed by targeted email phishing attacks. The phishing email tries to look like it comes from a legitimate company, such as that shown below.


When the attached file is run by the victim, Trojan:Win32/Retefe.A is downloaded and installed to %ALLUSERSPROFILE%.  We have seen it use the file name netupdater.exe.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Malware name>"
With data: "%ALLUSERSPROFILE%.\<Malware Name>.exe"

To remain undetected Trojan:Win32/Retefe.A can show a message window suggesting an update needs to be installed when it needs to run as administrator. The malware can use a message in different languages, including German and English.


Steals sensitive information

Trojan:Win32/Retefe.A can steal sensitive information from your PC, such as your online user names and passwords. It does this by installing a fake self-signed certificate and intercepting traffic through your Internet browser.

It installs a fake self-signed certificate with the thumbprint 3DDF56A7004D90034D77E2D97F68C56FAA3C93AD:

It then installs the self-signed certificate to be used by the Firefox browser.

It also changes the DNS server to an IP address of a server controlled by the attacker. We have seen the following IP addresses being used:


Stops processes

Trojan:Win32/Retefe.A terminates the following processes if they are running:

  • iexplore.exe
  • firefox.exe
  • chrome.exe

Analysis by Daniel Radu


The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<Malware name>"
    With data: "%ALLUSERSPROFILE%.\<Malware Name>.exe"
  • You see one of these pop-ups:


Alert level: Severe
First detected by definition: 1.165.3417.0
Latest detected by definition: 1.179.2442.0 and higher
First detected on: Feb 06, 2014
This entry was first published on: Feb 27, 2014
This entry was updated on: Jul 28, 2014

This threat is also detected as:
No known aliases