Home / malware Trojan:Win32/NfLog.A
First posted on 17 November 2012.
Source: MicrosoftAliases :
Trojan:Win32/NfLog.A is also known as TR/NfLog.A.46 (Avira), Trojan.Click2.39986 (Dr.Web), Trojan.Win32.NfLog (Ikarus), Trojan.NfLog!3EF1 (Rising AV), BKDR_NFLOG.XC (Trend Micro).
Explanation :
Trojan:Win32/NfLog.A is a trojan that allows an attacker to run commands on your computer.
Installation
Trojan:Win32/NfLog.A may be dropped by another malware detected as TrojanDropper:WinHLP/NfLog.A.
It may install itself as any of the following files in <system folder>:
- nfipv6.ocx
- msmapi.ocx
It also installs the following hidden file in the %Temp% folder as part of its installation routine:
- $NtUninstallKB942388$
Trojan:Win32/NfLog.A creates the following registry entry:
In subkey: HKCU\Software\Microsoft\Clock
Sets value: "HID"
With data: "<hex value>"
Payload
Connects to a remote server
Trojan:Win32/NfLog.A tries to connect to a certain server to receive commands. It has been known to do the following to your computer:
- Download and run arbitrary files
- Update itself
- Upload and delete files
- Run or stop applications
- Run commands from the command prompt, and view the results
It tries to connect to any of the following servers:
- adobesupporting.org
- creamofa.com
- deliwen.org
- diaoyiku.com
- jpmofa.com
- loveinca.com
- microsoftupdata.com
- microtelev.com
- nalaner.com
- sleepstars.com
- superquail.com
- symatecatw.com
- vbnisp.com
- vvindow.com
Analysis by Mihai Caolta
Last update 17 November 2012
