1. Symantec/
  2. Security Response/
  3. Trojan.Clampi


Risk Level 2: Low

January 16, 2008
November 8, 2012 4:05:19 PM
Also Known As:
Win32/Ilomo.BC [Computer Associates], TROJ_ILOMO.B [Trend]
Infection Length:
402,952 bytes
Systems Affected:
Trojan.Clampi, also known as Ligats and Ilomo, is a Trojan horse that attempts to steal login credentials related to online banking and other financially related websites.

While Clampi itself does not spread further, it downloads a module that spreads Clampi across network shares. It copies itself to every possible network resource, which includes any computer the currently logged on user has access to. Due to the nature of how it accomplishes this, it could be any type of file, including other, unrelated malware, but currently it is a dropper for Clampi.

Clampi's primary purpose is to steal credentials for online banking sites as well as credentials stored locally. It targets hundreds of websites in dozens of countries. Once it gathers the information its looking for, it injects itself into the Internet Explorer process in order to bypass any local firewall, thereby allowing it to send the gathered information to, and open a back channel to receive instructions from, its command and control (C&C) server.

Clampi also acts as a SOCKS proxy server, which provides anonymity for the Clampi author(s) when connecting to banking and other financially related websites using the stolen credentials, and bypass any online banking security or monitoring that may recognize abnormal connections from suspect IP addresses.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures


Antivirus (heuristic/generic)


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version January 18, 2008 revision 040
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version January 17, 2008 revision 033
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date January 23, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube