Trojan.Win32.Scar.dgje is a Microsoft Windows trojan which will attempt to steal passwords for multiple sites, it will also go to multiple lengths to prevent removal. This trojan was writen in Delphi.
Once the user has installed the file, it will copy itself into the AppData folder. It will also add a startup key to the System Registry. The trojan will constantly attempt to maintain this key, and will restore it when needed.
The trojan will prevent the booting into safe mode by deleting the "HKLM\System\ControlSet001\Control\SafeBoot" key branch. The virus will now attempt to steal usernames and passwords for various services via these programs:
- WS FTP
- Total Commander
- FTP Commander
- Mozilla Thunderbird
- The Bat!
It will also extract data from the following files:
- %UserProfile%\My Documents\*.rdp
It will then transfer the gathered data to the virus author. The trojan will also randomly download files from multiple IP addresses.
- Kaspersky: Trojan.Win32.Agent2.cosd; Trojan.Win32.Pasmu.gv
- Securelist (Kaspersky Labs), Trojan.Win32.Scar.dgje