Home / malwarePDF  

TrojanDownloader:Win32/Namsoth.B


First posted on 04 November 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Namsoth.B is also known as Trojan horse Generic19.BPYL (AVG), Gen:Trojan.Heur.RP.aqW@aWem8imb (BitDefender), TrojanDownloader:Win32/Simgums.A (other).

Explanation :

TrojanDownloader:Win32/Namsoth.B is a trojan that consists of various components that are used to download additional files and malware onto the computer.
Top

TrojanDownloader:Win32/Namsoth.B is a trojan that consists of various components that are used to download additional files and malware onto the computer. Installation TrojanDownloader:Win32/Namsoth.B consists of three executable components, using filenames below:

  • Svchost.exe
  • Svehost.exe
  • Update.exe
  • Upon execution, TrojanDownloader:Win32/Namsoth.B makes the following registry modification so that "svchost.exe" can execute at each Windows start: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: svchost With data: <path to executable>\svchost.exe where <path to executable> is the directory where "svchost.exe" is running. The "svehost.exe" component is installed as a service with service name "dlserver", as seen below from the Control Panel > Administrative Tools > Services window: Payload Downloads and executes arbitrary files The three components of TrojanDownloader:Win32/Namsoth.B are used to download additional files onto the computer. One component contacts a particular server in order to retrieve instructions on additional files to execute, including updates for the trojan. This component also sends information back to the server, such as the computer name of the infected machine or the version of the malware running. Another component contacts a specific page on the domain "mishe.org" in order to retrieve the location of an executable to download. If found, the trojan downloads it to the %TEMP% folder and executes it. The final component also downloads additional files onto the computer, including a JPG file from the "homier.com" domain. Modifies system settings TrojanDownloader:Win32/Namsoth.B modifies the following registry entry in order to bypass the local proxy server: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMaps\ Sets value: ProxyBypass With data: "1"

    Analysis by Amir Fouda

    Last update 04 November 2010

     

    TOP