Home / malwarePDF  

Trojan.Navedri


First posted on 20 March 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Navedri.

Explanation :

Trojan.Navedri may be dropped on the compromised computer by a malicious .hwp document (detected as Bloodhound.HWP.5).

When the Trojan is executed, it creates the following files:
%Temp%\rgs.dll%Temp%\tmp.dll%Temp%\svcs.dll%Temp%\comaddon.dll%Temp%\Comsvc.exe%Temp%\NVaccine.exe%Temp%\NaverAddress.db%Temp%\dg12bd.dll%Temp%\ki3s3.exe%System%\srvsec.dll%Temp%\jsdebgui.exe%Temp%\jsdebgui.dll%System%\c_[RANDOM CHARACTERS].nls
The Trojan then modifies the following file:
%UserProfile%\Local Settings\Temp\rms.dll.mui
Next, the Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HwpUpdate" = "HwpUpdate.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HwpUpdate" = "%Temp%\Comsvc.exe"
The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost\"svccom" = "Com+ System Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Com+ System Service\Parameters\"ServiceDll" = "%System%\svcs.dll"
The Trojan modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\AhnLab\V3IS2007\InternetSec\"FWRunMode" = "4"HKEY_LOCAL_MACHINE\SOFTWARE\Ahnlab\V3IS80\is\"fwmode" = "4"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "4"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = "4"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\"EnableFirewall" = "4"
The Trojan creates a service with the following properties:
Service name:
ServerSecurityCom+ System Service
The Trojan then gathers the following information from the compromised computer:
Task listSystem informationComputer nameUser nameFile information
The Trojan then sends the gathered information to the following remote location:
ftp.bytehost17.com
The Trojan may then download and execute files from any of the following remote locations:
[http://]daum-modifypw.besaba.com[http://]www.nate-on.bugs3.com[http://]mail.bg

Last update 20 March 2015

 

TOP