TrojanSpy:Win32/Keatep.B is a trojan that steals FTP credentials and sends it to a remote attacker. It also injects malicious Iframe code that points to a certain Web site. It also disables the Windows firewall and connects to a remote Web site to potentially download arbitrary files.
When executed, TrojanSpy:Win32/Keatep.B creates the mutex "SIDUY928WUOI0192" to ensure that only one instance of itself is running.
Injects malicious Iframe
TrojanSpy:Win32/Keatep.B may try to inject a potentially malicious Iframe pointing to the Web site "besloqawe.com".
Disables Windows firewall
TrojanSpy:Win32/Keatep.B attempts to disable the Windows firewall by running the following command:
netsh firewall set opmode disable
It also adds itself to the authorized application list in the Windows firewall:
Adds value: "<Malware File>"
With data: "<Malware File>:*:enabled:ipsec"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Connects to a remote Web site
TrojanSpy:Win32/Keatep.B attempts to connect to the following Web sites to download other files:
Steals FTP credentials
TrojanSpy:Win32/Keatep.B attempts to steal credentials for various FTP programs, such as "Total Commander" and "FileZilla". If gathered, TrojanSpy:Win32/Keatep.B uploads the gathered credentials to a remote location.
Analysis by Andrei Florin Saygo
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).