Therat.B
Threat LevelDamageDistribution

Effects 

Therat.B carries out the following actions:

• It logs the keystrokes typed by the user while browsing through the Internet.
• It stores in a file all the usernames, passwords and addresses of the websites accessed by the user.
• Additionally, it accesses the following path of the Windows Registry:
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\SPW
  In this entry, there is a record of all the passwords that have been autofilled in the browser of the user. Although these passwords are encrypted, there are applications that allow to desencrypt them easily.
• Finally, this Trojan sends the data it has gathered to its author via email.

Infection strategy 

Therat.B creates the following files in the Windows system directory:

• SOCKETIME.EXE. This file is a copy of the Trojan.
• REGHND32.DLL.
• 32THERAT.LOG, where it stores the information gathered by Therat.B.

Therat.B modifies the following entry of the Windows Registry:

• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
  Shell = Explorer.exe
  It changes this entry to:
  HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
  Shell = Explorer.exe socketime.exe
  By modifying this entry, Therat.B ensures that it is run whenever Windows is started.

Means of transmission 

Therat.B does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Therat.B is written in the programming language Visual C++. This Trojan is 5,973 bytes in size when compressed with FSG v2.0.

Additionally, it has been created with a constructor known as The Rat! 5.0XP.