Home / malwarePDF  

TrojanDownloader:Win32/Nemim.gen!A


First posted on 15 April 2013.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Nemim.gen!A.

Explanation :



Installation

TrojanDownloader:Win32/Nemim.gen!A may arrive on your computer as the file name "igfxext.exe" that appears as part of a display graphics driver, in an effort to look inconspicuous.



Payload

Downloads and runs files

The trojan attempts to connect to one of the following URLs to download and run a file names "ctfmon.exe":

  • auto24col.info/bin/read_i.php?a1= < data >
  • autoban.phpnet.us/bin/read_i.php?a1=< data >
  • autoban.phpnet.us/bin/read_i.php?a1=< data>
  • autobrown.gofreeserve.com/bin/read_i.php?a1=< data>
  • autochecker.myftp.biz/bin/read_i.php?a1=< data>
  • autochecker.myftp.biz/bin/read_i.php?a1=< data>
  • autoken.scienceontheweb.net/bin/read_i.php?a1=< data>
  • automobile.it.cx/bin/read_i.php?a1=< data>
  • autopapa.noads.biz/bin/read_i.php?a1=< data>
  • autopara.oliwy.net/bin/read_i.php?a1=< data>
  • autoparts.phpnet.us/bin/read_i.php?a1=< data>
  • autosail.ns01.biz/bin/read_i.php?a1=< data>
  • autovonmanstein.x10.mx/bin/read_i.php?a1=< data>
  • autozone.000space.com/bin/read_i.php?a1=< data>
  • blonze.createandhost.com/bin/read_i.php?a1=< data>
  • gamepia008.my5gigs.com/bin/read_i.php?a1=< data>
  • gamepia008.my5gigs.com/bin/read_i.php?a1=< data>
  • goldblacktree.waldennetworks.com/bin/read_i.php?a1=< data>
  • gurunichi.createandhost.com/bin/read_i.php?a1=< data>
  • rainbowbbs.mywebcommunity.org/bin/read_i.php?a1=< data>
  • rootca.000space.com/bin/read_i.php?a1=< data>
  • silverbell.000space.com/bin/read_i.php?a1=< data>


Note: <data> is the encrypted information the trojan steals, in Base64 encoded form. See the Steals information about your computer section below for more details.

Once downloaded, "ctfmon.exe" will be detected as either of the following:

  • PWS:Win32/Nemim.A
  • Virus:Win32/Nemim.gen!A


Steals information about your computer

TrojanDownloader:Win32/Nemim.gen!A has been observed stealing the following information about your computer:

  • The version of Windows installed on your computer and service pack details
  • Your computer's language settings
  • Your computer's name
  • The user name of the currently logged-in user
  • The number of USB ports on your computer


Deletes files

When executed, it attempts to delete the following files in the directory where this malware is located in an effort to hide its presence; once deleted, these files will no longer be recoverable:

  • automngr.exe
  • ctfmon.exe
  • dmaup1.exe
  • dmaup2.exe
  • dmaup3.exe
  • dmaup4.exe
  • rstimgr.dll
  • rstimgr.inf
  • smcnmgr.exe
  • winmsgr.exe




Analysis by Jonathan San Jose

Last update 15 April 2013

 

TOP

Malware :

Family: