Home / malwarePDF  

TrojanSpy:Win32/Nivdort.Y


First posted on 23 June 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Nivdort.Y.

Explanation :

Threat behavior TrojanSpy:Win32/Nivdort.Y is a trojan that collects sensitive information for an attacker.

Installation

TrojanSpy:Win32/Nivdort.Y creates the following files on your PC:



  • %windir% \assembly\nativeimages_v2.0.50727_32\temp\zape.tmp\system.data.entity.design.dll



  • %windir% \temp\ttnfwp17orzzxf.exe



  • \ebiwquueqb.exe

  • \snkunmyqngv.exe
  • \kvuqcdeqx\cfg
  • \kvuqcdeqx\etc
  • \kvuqcdeqx\rng
  • \kvuqcdeqx\run
  • \kvuqcdeqx\tst
  • c:\documents and settings\administrator\local settings\temp\ttnfwp16zbbzxfmaitarb.exe


Payload

Changes Hosts file

TrojanSpy:Win32/Nivdort.Y changes the Windows Hosts file. Malware sometimes does this to redirect URLs to different IP addresses, often to stop you from accessing security-related websites. Changes system security settings

The malware might try to disable firewall notifications from the Windows Security Center by modifying the following registry entry:

Sets value: "FirewallDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center Contacts remote hosts

The malware may contact the following remote hosts using port 80:

  • ablevoice.net
  • frontride.net
  • gentlefriend.net
  • glasshealth.net
  • jinoplasker.com
  • knowfive.net
  • knowvoice.net
  • littleappear.net
  • mightglossary.net
  • necessarydress.net
  • rememberpaint.net
  • spendmarry.net
  • tablefruit.net
  • throughcountry.net
  • uponloud.net
  • wrongthrew.net

Commonly, malware does this to:
  • Confirm Internet connectivity
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 4e5283eef5a6d9a9ffff1e71e821efe2a53ee12d.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    %windir%\assembly\nativeimages_v2.0.50727_32\temp\zape.tmp\system.data.entity.design.dll
    %windir%\temp\ttnfwp17orzzxf.exe
    \ebiwquueqb.exe
    \snkunmyqngv.exe
    \kvuqcdeqx\cfg
    \kvuqcdeqx\etc
    \kvuqcdeqx\rng
    \kvuqcdeqx\run
    \kvuqcdeqx\tst
    c:\documents and settings\administrator\local settings\temp\ttnfwp16zbbzxfmaitarb.exe
  • You see these entries or keys in your registry:

    Sets value: "FirewallDisableNotify"
    With data: "1"
    In subkey: HKLM\SOFTWARE\Microsoft\Security Center

Last update 23 June 2014

 

TOP

Malware :

Family: