Home / malware Infostealer.Nuknuken
First posted on 14 November 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Nuknuken.
Explanation :
The Trojan arrives on the computer through documents that exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
When the Trojan is executed, it creates the following files: %System%\Com\svchost.exe %SystemDrive%\Documents and Settings\All Users\Application Data\Mozilla\[RANDOM].bin %UserProfile%\Local Settings\ntxobj.exe
Next, the Trojan installs itself as a service by adding the "sys" string to an existing service and deleting the first character in the service's display name. The Trojan chooses the service to mimic at random.
The Trojan then connects to the following remote locations: 131.72.138.180:443systemsvc.netsystem-svc.net
The Trojan may then perform the following actions: Log keystrokes Capture screenshots Gather information entered into web forms Gather login credentials Add or remove firewall rules List running processes Download additional componentsLast update 14 November 2014
