1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Retgate Activity 3

System Infected: Infostealer.Retgate Activity 3

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects activity of Infostealer.Retgate.

Additional Information

The Trojan may arrive through email.

When the Trojan is executed, it creates the following file:

The Trojan modifies the following file:

Note: In prefs.js, the Trojan adds the following settings:
user_pref("network.http.spdy.enabled.v3", false)
user_pref("network.http.spdy.enabled.v3-1", false)
user_pref("network.http.spdy.enabled", false)

The Trojan then modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"EnableSPDY3_0" = "0"

The Trojan injects itself into the following processes:

The Trojan may then steal usernames and passwords from Outlook and visited websites before it is encrypted and sent out to the network (hooked APIs).

The Trojan sends stolen information to the following remote location:


  • windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube