Home / malwarePDF  

Trojan:Win32/Netvat.A


First posted on 07 September 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Netvat.A is also known as Trojan:Win32/Trafog!rts (other), Trojan:Win32/Bumat!rts (other), TR/Agent.cyzi (Avira), W32/Malware.IBTS (Norman), Trj/Agent.NVB (Panda), Trojan.Win32.Nodef.xne (Rising AV), TROJ_AGENT.AVEV (Trend Micro), Trojan.Agent.PJEX (VirusBuster).

Explanation :

Trojan:Win32/Netvat.A is a trojan component that downloads configuration data and executes other malware identified as Trojan:Win32/Netvat.A!dll.
Top

Trojan:Win32/Netvat.A is a trojan component that downloads configuration data and executes other malware identified as Trojan:Win32/Netvat.A!dll. InstallationWhen run, Trojan:Win32/Netvat.A drops a copy of itself as the following:

  • %ProgramFiles%\360rpv.exe
  • %ProgramFiles%\syslass.cpl
  • The trojan also drops a component as the file "%windir%\system32\svcnet32.dll", which is detected as Trojan:Win32/Netvat.A!dll. The registry is modified to run the dropped malware component "svcnet32.dll" as a service. In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvchostSets value: "Avt-Net"To data: "avt-net" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Avt-NetSets value: "ImagePath"To data: "%SystemRoot%\system32\svchost -k Avt-Net" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Avt-Net\ParametersSets value: "ServiceDll" with data: "%SystemRoot%\system32\svcnet32.dll" It also creates a mutex named "_u_hook" to ensure that one instance of the malware is running. Payload Modifies Windows Explorer settingsThe trojan modifies registry data to disable the viewing of files marked as 'hidden' and to not show the file extension of executable file types (common file extension .EXE).
    In subkey: HKLM\Software\Classes\exefile
    Sets value: "NeverShowExt"
    with data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Sets value: "Hidden"
    To data: "2" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALLSets value: "CheckedValue"with data: "0x00000001" Downloads fileTrojan:Win32/Netvat.A attempts to download a data file named "index.txt" from the website "messager.xicp.net" and save it as the following: %ProgramFiles%\Common Files\plugins\index.txt At the time of this publishing, the remote site was unavailable.

    Analysis by Marianne Mallen

    Last update 07 September 2010

     

    TOP