Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)


  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


Infection Channel: Downloaded from the Internet

CARBERP is a Trojan family first seen in 2009. This banking Trojan is designed to steal user credentials through hooking network APIs in WININET.DLL, monitoingr user browsing activities. It has the capability to connect to its C&C server to download configuration files and receive arbitrary commands, thus compromising the security of the infected systems.

CARBERP logs keystrokes, spoofs websites, and drops copies of itself in locations that do not require administrator privileges. This malware family is characterized as a plugin-dependent malware since it relies on downloaded/embedded modules to complete its routines. Two of the known plugins it uses are the miniav and stopav modules. These modules enable CARBERP to eliminate other malware and antivirus applications running on the infected computer.


Memory Resident: Yes
Payload: Steals information, Compromises system security


This Trojan drops the following files:

  • %System Root%\{random folder name}\wndsksi.inf
  • %System%\ieunitdrf.inf
  • {All User's Profile\wjver.dat

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • %User Startup%\igfxtray.exe
  • %User Startup%\{random filename}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other System Modifications

This Trojan adds the following registry entries:

TabProcGrowth = "0"


It drops the following folders:

  • %System Root%\{random folder name}
  • %User Profile%\Application Data\MicroST

It connects to any of the following C&C Servers:

  • http://{BLOCKED}
  • http://{BLOCKED}
  • http://{BLOCKED}
  • http://{BLOCKED}
  • http://{BLOCKED}