Home / malware

PDF

Trojan.Nymaim.B

First posted on 21 February 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Nymaim.B.

Explanation :

Once executed, the Trojan drops the following file:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"[RANDOM STRING]" = "%SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME]"

The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "%SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME],explorer.exe"

It then attempts to connect to one of the following locations in order to update itself or download other malware:
apddtww.bizbxsupbag.comcorfbsvdvz.bizdngnpdcy.orgdpmqvjay.netfajcgzyorp.comfgghxchil.netgewvogefqz.bizgjzylv.rujdtwesjab.bizjileyiixx.comjvaankz.orgldkguw.bizlumlereou.comlxawamilwkt.commcgmzfqe.rumjfzkdlztr.orgntstghst.ruopkcubj.bizoxhdlsha.compeqxhhwgigy.bizqtvoabrx.netrvthbcuxd.bizsexopartynow.orgsweetbabydolly.orgtdkdgivar.bizvyerhmyh.infowbezwedfhd.infowouhysd.infoxbetcic.orgxslxrdhn.netyvbhniagt.bizzdlxqk.comzfeherttbiv.net

Last update 21 February 2014

 

TOP