Home / malware

PDF

Trojan.Spy.Agent.NKG

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Spy.Agent.NKG is also known as I-Worm/VB.TP, Win32:VB-CMK, W32/MadCoffee.F.worm, 32.SillyWNSE, Email-Worm.Win32.VB.cb.

Explanation :

This trojan is received as a 98304 Byte-file, written in Visual Basic, having a Folder icon, in order to get the user to execute it.
Upon execution this worm file will copy itself as the following files:
%windir%svchost.exe
%windir%system32BttnServ.exe
The files are hidden

Next, the trojan will execute the file %windir%svchost.exe and also set the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun(Default) to %windir%svchost.exe

The received file will close it's process.

Upon running, %windir%svchost.exe will remain active in memory, and will delete itself from the hard disk

The trojan has an invisible window so will run in the background.

It ensures that it will be ran after the next reboot by setting the key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunCPQEASYBTTN to %windir%system32BttnServ.exe

While running, the trojan will read any text box from any Internet Explorer window and store the contents of them. The read process is repeated everey 500 ms. The trojan will send the read informations using MAPI (an architecture for messaging applications)

The messages are sent to http://mail.madcoffee.com/index.php with the user OperationDefecha@yahoo.com

Last update 21 November 2011

 

TOP