BackDoor.Butirat.91 is a backdoor that, before being installed on the system, checks HKCU(HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost for the path to its executable file. If the path is similar to the current location, installation does not start.
The malicious program places its copy with the taskhost.exe name into %APPDATA% or with the taskhost.exe name into %SystemRoot% \System32. Then it adds the file path to the HKCU(HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost registry branch. The Trojan stores all data in the System.log file that resides in the same folder as the executable file.
BackDoor.Butirat.91 serves the purpose of stealing passwords stored by popular FTP clients (such as FlashFXP, Total Commander, Filezilla, FAR, WinSCP, FtpCommander, SmartFTP) and forwarding this data to cybercriminals. Moreover, the Trojan can download executable files from remote hosts and generate traffic for certain websites.